Datatilsynet (Norway) - 20/02291

From GDPRhub
Revision as of 09:40, 3 November 2020 by Riealeksandra (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=20/02291-4 |...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Datatilsynet - 20/02291-4
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24 GDPR
Article 32 GDPR
Health Records Act §§ 22-23
Personal Data Act § 26(1)
Type: Investigation
Outcome: Violation Found
Started:
Decided: 22.10.2020
Published: 27.10.2020
Fine: 750000 NOK
Parties: Sykehuset Østfold HF
National Case Number/Name: 20/02291-4
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Norwegian
Norwegian
Original Source: Datatilsynet (in NO)
Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA fined Østfold Hospital NOK 750,000 (approx. EUR 64,400) for insufficiently protecting patient data (Articles 32 and 5(1)(f)) and inadequate internal controls (Articles 24 and 5(2)).

English Summary

Facts

Østfold Hospital notified the DPA about a personal (patient) data breach, including insufficient security (lack of access controls and logs, not adhering to own policies and procedures) and storing personal data longer than necessary. Datatilsynets launched an investigation, which was concluded with a fine on 22 October 2020.

Dispute

How serious was the personal data breach submitted by Østfold Hospital? Did they breach the former Personal Data Act and/or the updated one, with the GDPR incorporated?

Holding

The DPA held that Article 32, cf. Article 24 and 5(1)(f), as well as the Health Records Act § 22, were breached due to unauthorized access to patient data; that Article 32, cf. Article 24 and 5(2), as well as the Health Records Act § 23, were breached due to unauthorized access to and possible unauthorized alteration of patient data; that Article 32, cf. Article 24 and 5(1)(f) and 5(2), as well as the Health Records Act §§ 22 and 23, were breached due lack of confidentiality, integrity and availability and that Article 32, cf. Article 24 and 5(1)(e), as well as the Health Records Act § 23, were breached due to unlawfully storing personal data. The DPA finally held that the medical records system's option for extracting patient reports was not in line with the principles of data protection by design and default, cf. Article 25, cf. Articles 32 and 24, and that Østfold Hospital failed to adhere to the requirements as per Article 30 for this processing activity.

Comment

It's interesting to note how the DPA reasons around which law is applicable in this case, as the personal data breach first happened in 2013, before the GDPR came into effect. Since the data breach extended into January 2019, the DPA held that the updated Personal Data Act, including the GDPR, was applicable in this case, increasing the potential level of fines from NOK 1,000,000 (approx. EUR 89,800) to NOK 107 000 000 (up to EUR 10,000,000).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Violation fee to Østfold HF Hospital

The Data Inspectorate has decided on an infringement fee of NOK 750,000 to Østfold HF Hospital. The background is that in the period 2013-2019, the hospital stored report extracts from patient records outside the safe zone. The case started with a deviation report from the hospital.
Violation fee to Østfold HF Hospital

- The folders where the extracts were stored were not access controlled, and the activity in the folders was not logged. The report extracts have also been stored long after the lists were no longer needed. That such extensive storage of unshielded health information could take place over a long period of time, we believe indicates shortcomings in the internal management system, says senior legal adviser Susanne Lie.
About the breach

The report extracts were lists of patients ready for discharge (USK lists) and included special categories of personal data (sensitive patient information). The discrepancy includes three different lists:

    An updated USK list that includes approx. 25-30 patients. This list is updated every 15 minutes.
    A historical USK list from 2013 until 2019, with 13,800 patients and 26,596 discharges.
    Two lists with birth number and reason for admission, with approx. 30 patients.

The personal information in the lists includes demographic information and name, date of birth, municipality, department affiliation and any information about facilitation when transferring a patient to a municipality. Two of the lists contained birth number and reason for admission.

There has been no access control in the area / folders where the report extracts were stored and / or temporarily stored, and it has been logged whether employees have been inside the information. The personal information has been available to 118 employees at Østfold HF Hospital, where most have not had an official need for such access.
Assessment

The Norwegian Data Protection Authority believes that Østfold HF Hospital has not established a system for access control that is sufficient to prevent similar deviations from occurring in the future, and special reference is made to the routines for access control and storage of personal data. The management system must involve follow-up that the routines are followed, which also means follow-up that only secure systems are used in the processing of sensitive personal data.