Datatilsynet (Norway) - 15/01355: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet (Norway) |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=15/...")
 
m (Hyperlinks)
 
(7 intermediate revisions by 2 users not shown)
Line 66: Line 66:
|Party_Link_5=
|Party_Link_5=


|Appeal_To_Body=
|Appeal_To_Body=Personvernnemnda (Norway)
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=2018-14 (15/01355)
|Appeal_To_Status=Unknown
|Appeal_To_Status=Appealed - Partly Confirmed
|Appeal_To_Link=
|Appeal_To_Link=https://gdprhub.eu/index.php?title=Personvernnemnda_(Norway)_-_2018-14_(15/01355)


|Initial_Contributor=Rie Aleksandra Walle
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]
|
|
}}
}}


The Norwegian DPA found that a company "Legelisten", running an anonymous review website of healthcare personnel, lacked a legal for processing and instructed them to allow said personnel to opt out of being listed and reviewed. Complaints against Legelisten started in 2012 and ultimately ended up in the Supreme Court, who, on the contrary, found that Legelisten had a legal basis in the GDPR Article 6(1)(f), legitimate interest.
In 2017, the Norwegian DPA held that a company "Legelisten", running an anonymous review website of healthcare personnel, lacked a legal basis for processing and instructed them to allow said personnel to opt out of being listed and reviewed. In 2019, the decision was [[Personvernnemnda (Norway) - 2018-14 (15/01355)|overturned by the Privacy Appeals Board]], was then taken to various lower courts before ultimately ending up in the [[Norges Høyesterett - 2021-2403-A|Supreme Court, who ruled]] in December 2021 that Legelisten indeed had a legal basis in [[Article 6 GDPR#1f|Article 6(1)(f)]], legitimate interest.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Legelisten.no AS is a Norwegian limited liability company running a website where people anonymously can post review about dentists, doctors, psychologists and other healthcare personnel. The Norwegian DPA received (and processed) several complaints related to the site since its inception in 2012.  
Legelisten.no AS is a Norwegian limited liability company running a website where people anonymously can post reviews about dentists, doctors, psychologists and other healthcare personnel. A review must adhere to Legelisten's policy, it should include a heading and a description of at least 100 characters, as well as a rating from one to five stars. The user is asked to include positive and negative aspects and avoid offensive language, allegations of malpractice or rumors. The user must confirm their submission via email and all reviews are monitored and moderated by Legelisten as a part of their quality assurance process.  


Their final decision relates to a case from 2015, when a dentist lodged a complaint after she had received a negative review. She claimed that the processing of her personal data did not have a legal basis og demanded to have her personal data removed from the site. The DPA disagreed and the case was submitted to the Norwegian Privacy Appeals Board (Personvernnemda), who returned the case to the DPA for new processing due to lack of consideration of the dentist's demand to have her personal data removed from Legelisten.  
The Norwegian DPA received (and processed) several complaints related to the site since its inception in 2012. Their final decision relates to a case from 2015, when a dentist lodged a complaint after she had received a negative review. She claimed that the processing of her personal data did not have a legal basis og demanded to have her personal data removed from the site. The DPA disagreed and the case was submitted to the Norwegian Privacy Appeals Board (Personvernnemda), who returned the case to the DPA for new processing due to lack of consideration of the dentist's demand to have her personal data removed from Legelisten.  


This time, the DPA also considered several other aspects of the case, particularly if Legelisten was the controller (Legelisten claimed they acted as a processor) and if Legelisten had legal grounds for processing reviews of healthcare personnel. The DPA also considered exemptions or derogations for processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, or if the processing would be covered by the right to freedom of expression and information, seen against the Norwegian Personal Data Act, the Norwegian Constitution, and the European Convention on Human Rights.
This time, the DPA also considered several other aspects of the case, particularly if Legelisten was the controller (Legelisten claimed they acted as a processor) and if Legelisten had legal grounds for processing reviews of healthcare personnel. The DPA also considered exemptions or derogations for processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, or if the processing would be covered by the right to freedom of expression and information, seen against the Norwegian Personal Data Act, the Norwegian Constitution, and the European Convention on Human Rights.
Line 89: Line 89:
The DPA investigated several aspects of the processing of personal data in the case, summarized below.
The DPA investigated several aspects of the processing of personal data in the case, summarized below.


Personal data processing
==== Personal data processing ====
Objective personal data about healthcare personnel pertains to general information about their age, gender and when the invidivual received their license to practice medicine.
The DPA described various categories of personal data processing:
Subjective personal data about healthcare personnel pertains to the reviews posted about them.
Information about warnings and penalties issed from the Norwegian Board of Health Supervision, also pertains to personal data about affected healthcare personnel.
Special category personal data about the users, when their review relates to the use of specialist healthcare services, for example a visit to a psychiatrist or oncologist.


Controller responsibility
'''''Objective'' personal data''' about healthcare personnel pertains to general information about their age, gender and when the invidivual received their license to practice medicine.
 
'''''Subjective'' personal data''' about healthcare personnel pertains to the reviews posted about them.
 
'''Information about warnings and penalties issued from the Norwegian Board of Health Supervision''', also pertains to personal data about healthcare personnel.
 
'''Special category personal data''' about the users, when their review relates to the use of specialist healthcare services, for example a visit to a psychiatrist or oncologist.
 
==== Controller responsibility ====
The DPA found that Legelisten is the controller for all processing of personal data related to their site (as listed above), for both users and the healthcare personnel, because they in all these instances determine how the personal data will be processed (the purpose) and the means (technical platform, layout, which processors to use).
The DPA found that Legelisten is the controller for all processing of personal data related to their site (as listed above), for both users and the healthcare personnel, because they in all these instances determine how the personal data will be processed (the purpose) and the means (technical platform, layout, which processors to use).


Legal grounds for processing
==== Legal grounds for processing ====
The DPA found that the legal grounds for processing of the various processing activities, are as follows:
The DPA found that the legal grounds for processing of the various processing activities, are as follows:
For the objective personal data about healthcare personnel: GDPR Article 6(1)(f), legitimate interest.
For the subjective personal data about healthcare personnel: GDPR Article 6(1)(f), legitimate interest.
For the information about warnings and penalties issed from the Norwegian Board of Health Supervision: GDPR Article 6(1)(f), legitimate interest.
For the special category personal data:
About diagnosis: GDPR Article 6(1)(a), consent
About the users' visits to a specialist (email address combined with review which relates to the use of specialist healthcare services): The DPA first reviewed the likely possible legal bases for processing (consent, fulfilment of a contract and legitimate interest), but concluded that there were no legal bases Legelisten could rely on for this processing activity and thus, the processing had to stop and all related data collected earlier, had to be deleted.


The relationship to freedom of speach and processing for journalistic purposes
* For the objective personal data about healthcare personnel: [[Article 6 GDPR#1f|Article 6(1)(f)]], legitimate interest.
* For the subjective personal data about healthcare personnel: [[Article 6 GDPR#1f|Article 6(1)(f)]], legitimate interest.
* For the information about warnings and penalties issed from the Norwegian Board of Health Supervision: [[Article 6 GDPR#1f|Article 6(1)(f)]], legitimate interest.
* For the special category personal data:
** About diagnosis: [[Article 6 GDPR#1a|Article 6(1)(a)]], cf. [[Article 9 GDPR#2a|Article 9(2)(a)]], consent.
** About the users' visits to a healthcare specialist (email address combined with review which relates to the use of specialist healthcare services): The DPA first reviewed the likely possible legal bases for processing (consent, fulfilment of a contract and legitimate interest), but concluded that there were no legal basis Legelisten could rely on for this processing activity and thus, the processing had to stop and all related data collected earlier, had to be deleted.
 
==== The relationship to freedom of speach and processing for journalistic purposes ====
The DPA found that there were no exemptions or derogations for processing carried out for journalistic purposes in this case. They also found that § 100(3) of the Norwegian Constitution, which relates to free speech, did not apply in this case, and that their decision does not contradict § 100(4) which relates to prior censorship. The DPA further found that their decision, which would result in an intervention in the freedom of speech, is justifiable seen against the European Convention on Human Rights Article 10.
The DPA found that there were no exemptions or derogations for processing carried out for journalistic purposes in this case. They also found that § 100(3) of the Norwegian Constitution, which relates to free speech, did not apply in this case, and that their decision does not contradict § 100(4) which relates to prior censorship. The DPA further found that their decision, which would result in an intervention in the freedom of speech, is justifiable seen against the European Convention on Human Rights Article 10.


==== Conclusion ====
In conclusion, the DPA held that:
In conclusion, the DPA held that:
1. Legelisten is required to allow healthcare personnel to opt out of being reviewed on the site, because this processing of their personal data lacks a legal basis.
 
2. Legelisten is required to establish an erasure policy to ensure that information about the withdrawal of healthcare personnels' authorisation to practice, licenses or approvals for specialist treatments, is deleted within five years after a new authorisation, license or approval has been granted, because this processing otherwise lacks a legal basis.
# Legelisten is required to allow healthcare personnel to opt out of being reviewed on the site, because this processing of their personal data lacks a legal basis.
3. Legelisten is required to establish an erasure policy to ensure that information about the withdrawal of healthcare personnels' right to make requisitions, is deleted within two years after a new right has been granted, because this processing otherwise lacks a legal basis.
# Legelisten is required to establish an erasure policy to ensure that information about the withdrawal of healthcare personnels' authorisation to practice, licenses or approvals for specialist treatments, is deleted within five years after a new authorisation, license or approval has been granted, because this processing otherwise lacks a legal basis.
4. Legelisten is required to establish an erasure policy to ensure that information about the restriction of healthcare personnels' authorisation to practice, licenses, approvals for specialist treatments or right to make requisitions, is deleted within two years after the limitations have been repealed, because this processing otherwise lacks a legal basis.
# Legelisten is required to establish an erasure policy to ensure that information about the withdrawal of healthcare personnels' right to make requisitions, is deleted within two years after a new right has been granted, because this processing otherwise lacks a legal basis.
5. Legelisten is required to establish an erasure policy to ensure that information about healthcare personnel who have received warnings from the Norwegian Board of Health Supervision, is deleted within two years after the warning was issued, because this processing otherwise lacks a legal basis.
# Legelisten is required to establish an erasure policy to ensure that information about the restriction of healthcare personnels' authorisation to practice, licenses, approvals for specialist treatments or right to make requisitions, is deleted within two years after the limitations have been repealed, because this processing otherwise lacks a legal basis.
6. Legelisten is required to ensure that information about the healthcare personnels' authorisation to practice, licenses, approvals for specialist treatments or right to make requisitions are correct and up to date.
# Legelisten is required to establish an erasure policy to ensure that information about healthcare personnel who have received warnings from the Norwegian Board of Health Supervision, is deleted within two years after the warning was issued, because this processing otherwise lacks a legal basis.
7. Legelisten is required to delete information about healthcare personnel who no longer practice, because this processing of personal data is no longer relevant for the original purpose.
# Legelisten is required to ensure that information about the healthcare personnels' authorisation to practice, licenses, approvals for specialist treatments or right to make requisitions are correct and up to date.
8. Legelisten is required to stop processing special category personal data by asking for or storing the email address of patients who have reviewed healthcare personnel in specialist health services, because this processing lacks a legal basis.
# Legelisten is required to delete information about healthcare personnel who no longer practice, because this processing of personal data is no longer relevant for the original purpose.
9. Legelisten is not granted an exception from the license requirement for processing personal data, because the processing of special category personal data lacks a legal basis.
# Legelisten is required to stop processing special category personal data by asking for or storing the email address of patients who have reviewed healthcare personnel in specialist health services, because this processing lacks a legal basis.
10. Legelisten is required to provide information to healthcare personnel about the processing of their personal data.
# Legelisten is not granted an exception from the license requirement for processing personal data, because the processing of special category personal data lacks a legal basis.
# Legelisten is required to provide information to healthcare personnel about the processing of their personal data.


== Comment ==
== Comment ==

Latest revision as of 06:21, 6 March 2022

Datatilsynet (Norway) - 15/01355
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 7 GDPR
Article 7(4) GDPR
Article 9 GDPR
Article 9(2)(a) GDPR
Article 85 GDPR
European Convention on Human Rights Article 10
European Convention on Human Rights Article 8
Grunnloven (The Constitution of the Kingdom of Norway) § 100
Personopplysningsloven (Personal Data Act) § 3
Type: Investigation
Outcome: Violation Found
Started: 10.07.2015
Decided: 08.11.2017
Published: 15.11.2017
Fine: None
Parties: Legelisten.no AS
National Case Number/Name: 15/01355
European Case Law Identifier: n/a
Appeal: Appealed - Partly Confirmed
Personvernnemnda (Norway)
2018-14 (15/01355)
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

In 2017, the Norwegian DPA held that a company "Legelisten", running an anonymous review website of healthcare personnel, lacked a legal basis for processing and instructed them to allow said personnel to opt out of being listed and reviewed. In 2019, the decision was overturned by the Privacy Appeals Board, was then taken to various lower courts before ultimately ending up in the Supreme Court, who ruled in December 2021 that Legelisten indeed had a legal basis in Article 6(1)(f), legitimate interest.

English Summary

Facts

Legelisten.no AS is a Norwegian limited liability company running a website where people anonymously can post reviews about dentists, doctors, psychologists and other healthcare personnel. A review must adhere to Legelisten's policy, it should include a heading and a description of at least 100 characters, as well as a rating from one to five stars. The user is asked to include positive and negative aspects and avoid offensive language, allegations of malpractice or rumors. The user must confirm their submission via email and all reviews are monitored and moderated by Legelisten as a part of their quality assurance process.

The Norwegian DPA received (and processed) several complaints related to the site since its inception in 2012. Their final decision relates to a case from 2015, when a dentist lodged a complaint after she had received a negative review. She claimed that the processing of her personal data did not have a legal basis og demanded to have her personal data removed from the site. The DPA disagreed and the case was submitted to the Norwegian Privacy Appeals Board (Personvernnemda), who returned the case to the DPA for new processing due to lack of consideration of the dentist's demand to have her personal data removed from Legelisten.

This time, the DPA also considered several other aspects of the case, particularly if Legelisten was the controller (Legelisten claimed they acted as a processor) and if Legelisten had legal grounds for processing reviews of healthcare personnel. The DPA also considered exemptions or derogations for processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, or if the processing would be covered by the right to freedom of expression and information, seen against the Norwegian Personal Data Act, the Norwegian Constitution, and the European Convention on Human Rights.

Holding

The DPA investigated several aspects of the processing of personal data in the case, summarized below.

Personal data processing

The DPA described various categories of personal data processing:

Objective personal data about healthcare personnel pertains to general information about their age, gender and when the invidivual received their license to practice medicine.

Subjective personal data about healthcare personnel pertains to the reviews posted about them.

Information about warnings and penalties issued from the Norwegian Board of Health Supervision, also pertains to personal data about healthcare personnel.

Special category personal data about the users, when their review relates to the use of specialist healthcare services, for example a visit to a psychiatrist or oncologist.

Controller responsibility

The DPA found that Legelisten is the controller for all processing of personal data related to their site (as listed above), for both users and the healthcare personnel, because they in all these instances determine how the personal data will be processed (the purpose) and the means (technical platform, layout, which processors to use).

Legal grounds for processing

The DPA found that the legal grounds for processing of the various processing activities, are as follows:

  • For the objective personal data about healthcare personnel: Article 6(1)(f), legitimate interest.
  • For the subjective personal data about healthcare personnel: Article 6(1)(f), legitimate interest.
  • For the information about warnings and penalties issed from the Norwegian Board of Health Supervision: Article 6(1)(f), legitimate interest.
  • For the special category personal data:
    • About diagnosis: Article 6(1)(a), cf. Article 9(2)(a), consent.
    • About the users' visits to a healthcare specialist (email address combined with review which relates to the use of specialist healthcare services): The DPA first reviewed the likely possible legal bases for processing (consent, fulfilment of a contract and legitimate interest), but concluded that there were no legal basis Legelisten could rely on for this processing activity and thus, the processing had to stop and all related data collected earlier, had to be deleted.

The relationship to freedom of speach and processing for journalistic purposes

The DPA found that there were no exemptions or derogations for processing carried out for journalistic purposes in this case. They also found that § 100(3) of the Norwegian Constitution, which relates to free speech, did not apply in this case, and that their decision does not contradict § 100(4) which relates to prior censorship. The DPA further found that their decision, which would result in an intervention in the freedom of speech, is justifiable seen against the European Convention on Human Rights Article 10.

Conclusion

In conclusion, the DPA held that:

  1. Legelisten is required to allow healthcare personnel to opt out of being reviewed on the site, because this processing of their personal data lacks a legal basis.
  2. Legelisten is required to establish an erasure policy to ensure that information about the withdrawal of healthcare personnels' authorisation to practice, licenses or approvals for specialist treatments, is deleted within five years after a new authorisation, license or approval has been granted, because this processing otherwise lacks a legal basis.
  3. Legelisten is required to establish an erasure policy to ensure that information about the withdrawal of healthcare personnels' right to make requisitions, is deleted within two years after a new right has been granted, because this processing otherwise lacks a legal basis.
  4. Legelisten is required to establish an erasure policy to ensure that information about the restriction of healthcare personnels' authorisation to practice, licenses, approvals for specialist treatments or right to make requisitions, is deleted within two years after the limitations have been repealed, because this processing otherwise lacks a legal basis.
  5. Legelisten is required to establish an erasure policy to ensure that information about healthcare personnel who have received warnings from the Norwegian Board of Health Supervision, is deleted within two years after the warning was issued, because this processing otherwise lacks a legal basis.
  6. Legelisten is required to ensure that information about the healthcare personnels' authorisation to practice, licenses, approvals for specialist treatments or right to make requisitions are correct and up to date.
  7. Legelisten is required to delete information about healthcare personnel who no longer practice, because this processing of personal data is no longer relevant for the original purpose.
  8. Legelisten is required to stop processing special category personal data by asking for or storing the email address of patients who have reviewed healthcare personnel in specialist health services, because this processing lacks a legal basis.
  9. Legelisten is not granted an exception from the license requirement for processing personal data, because the processing of special category personal data lacks a legal basis.
  10. Legelisten is required to provide information to healthcare personnel about the processing of their personal data.

Comment

Complaints against Legelisten started in 2012 and went through several rounds both at the Norwegian DPA and the Privacy Appeals Board (Personvernnemda), before going to the Norwegian courts and, ultimately, the Supreme Court.

The initial cases were assessed against the former Personal Data Act of 2000, however since the case continued into 2018 (and later), after the GDPR had taken effect, everything above is referenced with GDPR Articles. Consequently, the DPA's decision item 8 was removed entirely, as the introduction of the GDPR removed the requirement for a license from the DPA to process special category personal data.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision on reservation right on Legelisten.no

The Norwegian Data Protection Authority has decided that health personnel should be able to reserve themselves from being assessed on Legelisten.no. Legelisten.no will appeal this decision, and any right of reservation will not apply until the Privacy Board has completed the case.

At Legelisten.no you can enter anonymous assessments of GPs or health personnel in the specialist health service. On the basis of the assessments, health personnel are ranked in relation to each other. The Norwegian Data Protection Authority has received many inquiries from health personnel who feel that the site does not balance the consideration for freedom of expression and the consideration for privacy in a good enough way. After assessing the case, the Data Inspectorate has come to the conclusion that health personnel must be given the right to make reservations in order to better protect the individual's privacy.

The medical list will appeal this decision point. Therefore, the right of reservation will not take effect until our appeal body, the Privacy Board, has completed the case and provided that the board reaches the same result.

Legelisten.no can be misused

Healthcare professionals often have to make unpopular decisions, such as not prescribing painkillers or antibiotics, not giving sick leave or not referring to unnecessary tests. If health personnel make health-related correct but unpopular decisions, they may experience being punished for this by someone leaving negative assessments on Legelisten.no. Many of the doctors who have contacted the Norwegian Data Protection Authority find this very uncomfortable and challenge their professional integrity.

Those who use Legelisten.no can also not be sure whether the person writing the assessment has actually been a patient with the doctor. Positive reviews can be written by close relatives, while negative reviews can be written by someone who wants to blacken the health personnel. It is therefore difficult to know which of the assessments one can trust, and the value of the assessments is limited.

Anyone who applies for the doctor's name will get the assessments that have been posted about them. This can affect personal relationships. One doctor said that she wanted to quit as a GP because she found it stressful to think that anyone in her circle of friends could see all the assessments. Other doctors have pointed out that the assessments primarily affect their children and that children can experience bullying if the parents have received negative assessments.

Doctors have the opportunity to respond to assessments on the website, but since the assessments are anonymous, it is difficult for the doctor to know which situation a negative assessment originates from. Even if the doctors understand which patient has written the assessment, the duty of confidentiality prevents them from giving an exhaustive answer.

Decision on reservation access

Privacy and freedom of expression are two equal human rights, and in this type of case where the two rights come into conflict with each other, the consideration of freedom of expression and the consideration of privacy must be balanced.

The Data Inspectorate believes that this balance is not good enough in this case and that Legelisten.no must introduce reservation access to improve the balance.

Rating pages are generally allowed

Strict requirements are set for doctors' independence and professional integrity. Healthcare professionals are a professional group that sometimes have to make unpopular decisions. Therefore, doctors are not very suitable for evaluation on rating sites. The fact that a doctor has bad assessments may in some cases be due to the person in question having done his job in a good way.

On the other hand, there are many professional groups whose task is to appease customers or clients. There is greater access to assessment and ranking of these occupational groups. As long as such rating sites have guidelines, moderation and similar measures that safeguard privacy to a sufficient degree, the main rule is that considerations of freedom of expression take precedence - and that the websites are legal without reservation access.

Legelisten.no is not allowed to process sensitive personal data

When you leave an assessment on Legelisten.no, you must provide an e-mail address. For many, the email address contains names. Therefore, email addresses are often considered personal information.

If you have been to a specific doctor, it can often say something about your own health situation. For example, if you have a cancer doctor, it often indicates that you have cancer. If you post an assessment of this doctor on the website, legelisten.no potentially sits on a register that can say something about the users' health problems.

The Norwegian Data Protection Authority therefore orders Legelisten.no to delete the e-mail addresses of users who have assessed health personnel in the specialist health service.

Legelisten.no has the right to appeal

The Data Inspectorate's decision is final, but has a three-week appeal period. This means that Legelisten.no can appeal the decision. In that case, the Privacy Board will take a final position on the case.



Published: 15.11.2017