Datatilsynet (Denmark) - Region Sjælland
|Datatilsynet - Region Sjælland
|Article 32 GDPR
|National Case Number/Name:
|European Case Law Identifier:
|Datatylsinet (Denmark) (in DA)
The Danish DPA reprimanded a regional administration for providing access to a health database to more than 16,000 staff members, in lack of a substantial connection between the tasks of the latter and the information processed.
English Summary[edit | edit source]
Facts[edit | edit source]
The staff of the Danish region of Zealand had access to a health database concerning patients treated by public hospitals. The database contains names, addresses, social security numbers and health data. The Region claimed that the access by staff members was necessary to perform multidisciplinary administrative tasks and improve efficiency. The Region also stressed that staff members were subject to professional secrecy obligations.
The Danish DPA started an ex officio investigation.
Holding[edit | edit source]
The DPA clarified that the Region of Zealand was the controller in the case at issue. According to Article 32 GDPR, the controller shall implement technical and organisational measures to ensure a level of security appropriate to the risks concerning the processing.
The DPA stressed that access to personal data follows the principle of data minimisation and should be limited to those data that are strictly necessary to perform job-related tasks. The DPA did not disregard the argument that efficient health services require extensive processing activities by public administrations. However, the controller had to check that only staff members whose tasks were related to health services had access to the files. In this case, the database was accessible to a large number of people – actually more than 16,000. This was clearly disproportionate in light of Article 32 GDPR.
Moreover, the DPA found that the controller did not keep a record of the log-ins to the database by their employees. Therefore, it was not possible to monitor whether such a broad access was in practice only theoretical or members of the staff made excessive use of the tool. Thus, the controller could not prove compliance with the Regulation.
In light of the above, the DPA reprimanded the controller pursuant to Article 58(2)(b) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Region Zealand receives serious criticism for lack of security measures Date: 13-09-2023 Decision Public authorities Serious criticism Supervision / self-operating case Processing basis The Danish Data Protection Authority has expressed serious criticism of Region Zealand's lack of security around broad access to personal data and for having a logging system that did not allow to see which personal data a given user accessed. The Data Protection Authority received an inquiry that employees at Region Zealand via the front page of the Health Platform have access to patient lists across all Region Zealand Hospitals. The Danish Data Protection Authority chose to start a case on its own initiative to investigate the issue. 1. Decision After a review of the case, the Danish Data Protection Authority finds that there are grounds for expressing serious criticism that Region Zealand's processing of personal data has not taken place in accordance with the rules in the data protection regulation article 32, subsection 1. Below follows a closer review of the case and a rationale for the Data Protection Authority's decision. 2. Case presentation 2.1. Region Zealand's comments The Data Protection Authority received an inquiry that employees at Region Zealand via the front page of the Health Platform have access to patient lists across all Region Zealand Hospitals. The patient lists contain information on e.g. social security numbers, names and action or hospitalization diagnoses of patients with whom the employees do not necessarily have a treatment relationship. Region Zealand has informed the case that the patient lists can be accessed from the front page of the Health Platform and that the function has existed since the system was implemented in November 2017. The number of users at the stated time was 16,322. The patient lists are lists of patients admitted to the hospital's wards. The patient lists are preset to, among other things, to contain name, social security number and place of admission, but can be expanded with more information, e.g. diagnoses or other information if deemed necessary. The region regards the patient lists as an interdisciplinary work tool for all staff groups, which is why everyone with a login to the Health Platform has the opportunity to access the patient lists. The described application, the patient lists, help to support both the local clinical workflows, the transversal patient treatment and thus also the safety of patient treatment. As part of the function of the patient lists in relation to cross-disciplinary patient treatment and work organization, all staff groups in Region Zealand with a login to the Health Platform have the opportunity to access the information. Region Zealand further states that access to the patient lists is logged, but that the log does not show which patients are on the patient list at the time in question. 2.2. Board for Patient Safety comments The Agency for Patient Safety has – on the basis of a notification received – written to the Norwegian Data Protection Authority about access to the Health Platform. In that correspondence, the Board has stated that, in their assessment, there are no valid reasons for the very broad access to the patient lists in a treatment context, outside of the own department. In reality, such access will only be relevant for doctors and other professional staff with specific relevant supervisory functions. With regard to medical treatment, it is generally the primary department where the patient is admitted or affiliated, which is responsible for calling in or informing doctors from other specialties/departments for the purpose of, for example, examination or professional advice on patient treatment, including whether the patient should be transferred to another section, department or hospital. The board therefore assesses that there are no compelling reasons for the very broad access to the patient lists outside the own department in a treatment context. In reality, such access will only be relevant for doctors and other professional staff with specific relevant supervisory functions. The board further stated that it is difficult to more closely assess the mentioned need for broad access to the lists for use for the interdisciplinary supervision mentioned by the region across departments and the regions' hospitals, as only an overall description of this is given without specific examples or references to relevant professional instructions for such cross-disciplinary supervision. At the same time, it is the agency's immediate opinion that it is generally sufficient in patient treatment that the staff can access all relevant information and medical record material across the two regions regarding the specific patient by posting in SP on CPR. The board has stated that this is not a competent authority in relation to the GDPR. 2.3. Region Zealand's comments to the Agency for Patient Safety's inquiry Region Zealand has – in relation to the comments from the Agency for Patient Safety – stated that the Agency for Patient Safety does not consider itself to be a competent authority in relation to this data protection legal issue, cf. section 7, subsection of the Administrative Law. 2, and that the Agency for Patient Safety in that connection and after further explanation does not consider itself competent to assess the statement that Region Zealand has given to the Data Protection Authority. On this basis, Region Zealand has no further comments on the forwarded inquiry from the Agency for Patient Safety. 2.4. Region Zealand's further comments Building access is based on the principles from the Hospital Plan of a coherent treatment offer that has the patient in focus and supports both cross-cutting clinical workflows, while at the same time there is a strong focus on safety in patient treatment. The hospital plan is, among other things, expression of the region's implementation of Section 2 of the Health Act, where, for example, high-quality treatment, consistency between services, easy access to information, a transparent healthcare system, and short waiting times for treatment are key factors. In order to be able to support the best possible patient treatment at the hospital where the patient is admitted in this way, in addition to the actual treatment relationship, there are also other employee groups who have a legitimate, work-related need for access to patient information. With access to the patient lists, these employees can carry out healthcare screening of hospitalized patients, interdisciplinary treatment and supervision, as well as provide decision support. In addition, the patient lists are used for capacity management and planning. The need for access cannot therefore be limited to the actual treatment relationship. At the same time, employees in the public administration are generally subject to a duty of confidentiality, cf. Section 27 et seq. of the Norwegian Administration Act. In addition, according to Section 40 of the Health Act, healthcare professionals are required to observe silence in connection with the exercise of their profession. 3. Reason for the Data Protection Authority's decision The Danish Data Protection Authority assumes that lists of patients admitted to the hospital's wards have been accessible from the front page of the Health Platform and that the function has existed since November 2017. It is also assumed that a significant number of users with access to the list have been authorized and that this number, specifically in March 2022, was 16,322. In accordance with Region Zealand's own information, it is assumed that the patient lists can contain name, social security number and place of admission, and can be expanded with more information, e.g. diagnoses or other information if deemed necessary. In general, the Danish Data Protection Authority is of the opinion that a user's access to personal data may only take place on the basis of a considered and documented decision by the data controller. The user's access to personal data must reflect a necessary connection to the realization of the purpose for which the information is legally processed. The Norwegian Data Protection Authority has stated in several decisions on the Norwegian Data Protection Authority's website that this connection to the purpose – for employed users – must exist as a work-related need before access is granted. It follows from the data protection regulation article 32, subsection 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data. On this basis, the data controller has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are introduced to protect the data subjects against these risks. The Danish Data Protection Authority is of the opinion that the requirement for adequate security will normally mean that the data controller continuously checks whether user access to systems is limited to the personal data that is necessary and relevant for the user in question. In addition, the Danish Data Protection Authority is of the opinion that the requirement for adequate security will normally mean that the data controller regularly carries out random samples of the log to check that users only access information that they have a work-related need for. In addition, the Danish Data Protection Authority is of the opinion that the control of access rights should normally, as a minimum, consist of a verification of the work-related need at the time of allocation, an ongoing control based on verification that this need is still present and some form of auditing thereof. If the auditing is carried out as random checks, the number and frequency of random samples taken must be representative in relation to the number of possible incidents and the risk to the rights of the data subjects. The Danish Data Protection Authority understands that the health sector may generally have a need for wider access to personal data, in order to ensure that relevant health professionals have knowledge and familiarity with the patient so that they can carry out their work in accordance with the health law regulations to which they are subject . The Danish Data Protection Authority must, however, ensure that this wider access only happens to those employees for whom it may be a concrete work-related need and only in those work situations where this may be relevant. An abstract need should instead be handled by differentiating on work tasks and legislative or professional obligation, giving separate access to users to carry out searches, or being presented with overviews that create the necessary information. Unlawful access to personal data - by authorized users - is a threat scenario that is not only potential, but an expression of a real and relatively frequent scenario that leads to a breach of personal data security. The scenario occurs repeatedly, despite a generally high level of information aimed at users, about the legality and possible punishment according to the criminal law, by making the unlawful postings. The Danish Data Protection Authority is of the opinion that, in view of the mentioned real threat scenarios and the realization of these – despite the organizational measures to address the risk – there must be a limitation in the immediate and universal access to list functions and created representations of personal data that lie beyond the processing responsibility of the user in question or is not necessary to carry out a specific task that requires such access to personal data. Furthermore, the Danish Data Protection Authority is of the opinion that in order to assess whether a given posting has been justified or not, it is necessary to log the correlation between the specific personal data that is presented, searched for or can be seen on the screen and the user context for this. The Danish Data Protection Authority finds that Region Zealand – by giving 16,322 users access to patient lists at all the Region's hospitals – has had access to personal data which, based on the specific risk, did not constitute an appropriate level of security. In addition, the Data Protection Authority finds that Region Zealand - by not having a log that reflected what personal data a given user had seen - did not have appropriate technical and organizational measures that could document and follow up on any misuse of the very broad assigned user access to personal data . Hereby, Region Zealand has not complied with the data protection regulation's article 32, subsection 1. The Danish Data Protection Authority therefore expresses serious criticism that Region Zealand's processing of personal data has not taken place in accordance with the rules in the data protection regulation, article 32, subsection 1. The Danish Data Protection Authority has also given weight to the fact that the Agency for Patient Safety has stated that, in their assessment, there are no compelling reasons for the very broad access to the patient lists outside of the department's own department in relation to treatment. And that such access will only be relevant for doctors and other professional staff with specific relevant supervisory functions. The Danish Data Protection Authority must emphasize that the assessment of the risk expressed in the decision should cause Region Zealand to carry out an audit of the entire access rights structure that is used in general, and that it is the authority's expectation that the Region audits all areas where broad access is used without a concrete treatment relationship or a concrete documented need for access to the personal data.  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).  i.a. 2012-622-0004, 2014-632-0075 and 2022-423-0261