Garante per la protezione dei dati personali (Italy) - 9754355
|Garante per la protezione dei dati personali (Italy) - 9754355|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 9 GDPR
|Parties:||L’Azienda socio sanitaria territoriale Melegnano e della Martesana - A.S.S.T.|
|National Case Number/Name:||9754355|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la Protezione dei Dati Personali (in IT)|
|Initial Contributor:||Cesar Manso-Sayao|
English Summary[edit | edit source]
Facts[edit | edit source]
This case was initiated by a data breach notification reported to the Italian DPA (Garante per la Protezione dei Dati Personali – Garante), by a controller, which in this case was the local health authority of Melegnano e della Martesana (L’Azienda socio sanitaria territoriale Melegnano e della Martesana - A.S.S.T.). The data breach concerned the unauthorised disclosure of a medical report to a third party. The data breach did not involve the controller’s IT systems and infrastructures, and was instead due a mistake by an employee, which handed over the wrong physical paper copy of a medical report to another patient.
The controller explained to the Garante that it only became aware of the violation following a communication by the lawyer of the person to whom the aforementioned medical documentation had been mistakenly given to. The controller stated that they had subsequently asked this person to destroy any digital and paper copies that may have been made of it, and to not disclose the contents of the report to any third parties.
Additionally, the controller stated that it had notified the affected data subject that the data breach had occurred, and had also conducted an internal audit to determine the causes for the mistake, revising its internal procedures, and implementing further training courses focused on the correct management of documentation and health data.
Holding[edit | edit source]
The Garante held that the mistake by the employee had led to disclosing a data subject’s health data to a third party without a valid legal basis, in violation of Article 9 GDPR. Additionally, it held that the employee’s negligence also constituted a violation of the principle of integrity and confidentiality under Article 5(1)(f) GDPR on behalf of the controller, since it is responsible for processing personal data in such a way as to ensure security through appropriate technical and organisational measures in order to prevent unauthorised or unlawful processing.
However, the Garante acknowledged, as mitigating factors, that the health data breach was an isolated incident concerning only one data subject; that the controller had introduced measures to remedy the human error; that the controller had communicated the breach to the data subject as well as to the Garante; that there had been no data subject complaint related to the data breach; and that the controller had fully cooperated with the Garante during the investigation.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web n. 9754355] Injunction order against the territorial socio-sanitary company Melegnano and Martesana - 10 February 2022 Record of measures n. 47 of 10 February 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stazione, president, Professor Ginevra Cerrina Feroni, vice president, Avv. Guido Scorza, member, and the cons. Fabio Mattei, general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the "Regulation"); GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code"); GIVEN the Legislative Decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and repealing Directive 95/46 / EC "; GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019"); HAVING REGARD to the documentation on file; HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801; Professor Ginevra Cerrina Feroni will be the speaker; WHEREAS 1. Notification of infringement With a note of the twentieth, the Melegnano and Martesana territorial social health company notified a violation of personal data, having as its object the communication of a report relating to a diagnostic examination performed at the Rozzano clinic to a person not entitled to receive it, which occurred on XX. On the same occasion, the Company declared that it became aware of the violation only on the XXth date, following the communication by the lawyer of the person to whom the aforementioned health documentation had been erroneously delivered. From what is represented, the IT systems and infrastructures were not involved in the incident, as "the preparation of the paper envelope with the paper report inside is carried out by authorized parties. The delivery to the recipient takes place by the staff ", who" before delivering the paper reports, checks the identity of the applicant, by checking the document and any delegation for collection, the latter formalized by filling in specific form ". The person who erroneously received the report was asked to "destroy any digital and paper copies that had been made" and "not to disseminate or communicate the contents of the report to third parties". Among the measures envisaged in order to prevent similar future violations, the Company indicated the "preparation of a new training course in relation to the tasks assigned to the staff, which highlight the procedures for ascertaining the legitimacy of the withdrawal of the report of the subject which requires it, with particular attention to the aspect of the protection of personal data "; the "preparation of a thematic audit on the procedures for managing the delivery of medical reports by the staff in charge of users"; and the intention to "post a notice in a clearly visible manner at the premises inviting patients to verify the correctness of the header of the reports before leaving the hospital". In relation to what emerged from the documentation and the notification of violation made by the Company, the Office, with a note dated XX (prot. No. XX), notified the same Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulations, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code; as well as Article 18, paragraph 1, of Law no. . 689 of 11/24/1981). In particular, the Office, in the aforementioned deed, recognized the extremes of a violation of the basic principles of the processing referred to in Articles 5 and 9 of the Regulations, in relation to the communication of data relating to the health of a patient to another patient in the absence of a suitable legal basis. With a note from the twentieth century, the Company sent its defense briefs, in which, in particular, after describing its business organization, it highlighted that: - in relation to art. 83, par. 2, lett. a), of the Regulations: “violations are to be considered as deriving exclusively from human error. With reference to the exchange of reports, the following is specified, in relation to the protocol adopted for the delivery of the colpocytological results to the Rozzano Clinic. Upon their arrival from the Pathological Anatomy of Melegnano, the results of the exams are evaluated by the Doctors, who deliver the non-pathological exams to the nurses. The latter are wrapped and brought to the CUP, which in turn delivers them to the patient after showing the proxy and verifying the personal data. The pathological outcomes are evaluated by the Doctors who contact the patients directly, invited to come to the Outpatient Clinic on the days of service to personally collect the result with the related diagnostic-therapeutic indications. In the meantime, the reports are kept in the outpatient clinic. Only in the event that the patient, repeatedly contacted, is not available, the result is delivered to the CUP accompanied by a note that invites the patient to contact the Doctor as soon as possible. With reference to the case in question, Mrs. C. withdrew the result on Friday 13-12-19 evidently from the CUP, since it is a day in which the Doctor who performed the analysis does not work. Ms C. has never contacted the ASST, either to collect her result (which remained lying), or to return the report erroneously delivered, which was never claimed by Ms N. "; - in relation to art. 83, par. 2, lett. b), of the Regulations: "it is believed that the violation is negligent as it was dictated exclusively by human error of the company personnel authorized to process personal data"; - in relation to art. 83, par. 2, lett. c), of the Regulations: "due to the event, the Azienda Socio Sanitaria Territoriale Melegnano e della Martesana initiated an internal check in order to understand the reason for the incident and at the same time acquired information to contact the interested party, to whom the notification of a breach of personal data security has been sent "; - in relation to art. 83, par. 2, lett. d), of the Regulations: "The Melegnano and Martesana Territorial Social Healthcare Company in March 2018 defined the internal roles for the protection of personal data with: - Resolution of the General Manager no. 297 of 22 - 03 - 2018 for the purpose: Determinations regarding the application of the New EU Regulation. In this document there is the identification of the Medical Presidium Directors and the Directors of the Healthcare and Social Health Departments, both functional and managerial, as well as all the Managers in charge of Simple and Complex Structures are framed as Territorial Data Processors; has activated constant promotion activities in the field of data protection since 2008. The documentation relating to the courses carried out is in the Company's records. For the management of the medical record, in the twentieth century, the Company revised the company procedure "GENERAL COMPANY PROCEDURE" MANAGEMENT OF THE MEDICAL RECORD "". As a result of the events developed and notified to this Authority, as well as following discussions with the Company's representatives and the DPO, the need has emerged to review and further implement the procedure in place and further instruct the persons in charge and internal processing managers. . The company representatives have decided to take corrective action to update the management of the medical record throughout the company. The following activities will therefore be launched: Sharing with all UU.OO. health care vademecum on the correct management of the medical record; Sharing with all UU.OO. an evaluation questionnaire on the current management of the medical record with the aim of defining further document quality controls, in addition to those already present in the attached procedure; Implementation of further monitoring and review actions in addition to those already defined in the procedure; Scheduling of specific meetings with the DPO; Planning of further training courses focused on the correct management of documentation and clinical and health data "; - in relation to art. 83, par. 2, lett. f), of the Regulations: "all the elements from the same request have been provided to the Authority within the deadlines identified by this Guarantor Authority"; - in relation to art. 83, par. 2, lett. g), of the Regulation: "the violation relates to particular data suitable for detecting the state of health (pursuant to article 9 of Regulation 679/2016 / EU)"; - in relation to art. 83, par. 2, lett. h), of the Regulations: "This Guarantor Authority became aware of the violations on the basis of specific communications developed by the Territorial Healthcare Company Melegnano and della Martesana"; - in relation to art. 83, par. 2, lett. i), of the Regulations: "in the communications passed, this Guarantor Authority has not to date requested corrective measures concerning the violations reported"; - in relation to art. 83, par. 2, lett. j), of the Regulations: "The Melegnano and Martesana Territorial Social Healthcare Company has not adhered to codes of conduct which do not currently appear to have been approved / implemented in the health sector"; - in relation to art. 83, par. 2, lett. k), of the Regulation: "given the current easing of the health emergency deriving from Covid-19 compared to the time of the violations, it is believed that, with a patient return to ordinary management of activities, the possibility of human error is severely limited ". 2. Outcome of the preliminary investigation Having taken note of what is represented by the Company in the documentation in deeds and in the defense briefs, it is noted that: - the information object of the notification constitutes personal data relating to health, which deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (Cons. no. 51); - the rules on the protection of personal data provide - in the health sector - that information on the state of health can only be communicated to the interested party and can be communicated to third parties only on the basis of a suitable legal basis (Article 9 of the Regulation and art.84 of the Code in conjunction with art.22, paragraph 11, legislative decree 10 August 2018, n.101); - the data controller is, in any case, required to comply with the principles of data protection, including that of "integrity and confidentiality", according to which personal data must be "processed in such a way as to guarantee adequate security (...), including protection, by means of adequate technical and organizational measures, from unauthorized or unlawful processing and from accidental loss, destruction or damage "(Article 5, paragraph 1, letter f) of the Regulation) . 3. Conclusions In light of the aforementioned assessments, taking into account the statements made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents, is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor", the elements provided by the data controller in the aforementioned defensive briefs, which acknowledge what was contested in the act of initiating the procedure referred to in art. 166, paragraph 5, of the Code, are not suitable for accepting the archiving requests formulated in the defense briefs, and do not allow to fully overcome the findings notified by the Office with the aforementioned act of initiating the procedure. For these reasons, the unlawfulness of the processing of personal data carried out by the Company is noted, in violation of the basic principles of the processing, pursuant to Articles 5 and 9 of the Regulations. In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of the corrective measures referred to in art. 58, par. 2, of the Regulation. 4. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i) and 83 of the Regulations; art. 166, paragraph 7, of the Code). The violation of articles 5, par. 1, lett. f) and 9 of the Regulations, caused by the conduct put in place by the Company is subject to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, lett. a) of the Regulations (see Article 166, paragraph 2, of the Code). It should be considered that the Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in light of the elements provided for in art. 83, par. 2, of the Regulation in relation to which it is noted that: - the treatments carried out by the Company subject to this provision concern data on the health of a single data subject (Article 83, paragraph 2, letter a) and g) of the Regulation); - the violation is culpable and derives from an error by the authorized person in enveloping the reports (Article 83, paragraph 2, letter b) and d) of the Regulation); - the owner has fully collaborated with the Guarantor during this proceeding to remedy the human error concerning an isolated case (Article 83, paragraph 2, letter f) of the Regulation); - the Authority has become aware of the violation following the notification of the violation by the owner and no complaints or reports have been received to the Guarantor on the incident (Article 83, paragraph 2, letter h) of the Regulations). On this point, it should also be noted that the Company has already been the recipient of a provision pursuant to art. 58 of the Regulation for having carried out treatments in violation of art. 5, par. 1, lett. f), and 32 of the Regulation, in relation to two incidents of loss of health data which occurred in a short period of time (provision 29 April 2021, web doc. no. 9672313). However, the aforementioned violations cannot be qualified as a "previous violation" pursuant to art. 83, par. 2, lett. e) of the Regulations, as they occurred (or the owner became aware of them) after the conduct from which today's notification of violation originated pursuant to art. 33 of the Regulation. Due to the aforementioned elements, assessed as a whole, it is believed to determine the amount of the pecuniary sanction provided for by art. 83, par. 5, lett. a) of the Regulations, to the extent of € 3,500.00 (three thousand five hundred) for the violation of Articles 5, par. 1, lett. f) and 9 of the Regulations, as a pecuniary administrative sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. It is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, considering that the Company has been the recipient of another provision and that the data subject to unlawful processing fall into the particular category referred to in art. 9, paragraph 1, of the Regulations. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. WHEREAS, THE GUARANTOR declares the unlawfulness of the processing of personal data carried out by the Melegnano and Martesana territorial social health company, for the violation of Articles 5, par. 1, lett. f) and 9 of the Regulations. ORDER pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, to the Melegnano and Martesana territorial social health company, with registered office in Vizzolo Predabissi (MI), via Pandina 1, 20070 VAT number: C.F. and VAT number 09320650964, in the person of the pro-tempore legal representative, to pay the sum of € 3,500.00 (three thousand five hundred) as a pecuniary administrative sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed. INJUNCES to the aforementioned territorial social health company Melegnano and Martesana, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 3,500.00 (three thousand five hundred), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of the law n. 689/1981. HAS pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad. Rome, February 10, 2022 PRESIDENT Stanzione THE RAPPORTEUR Cerrina Feroni THE SECRETARY GENERAL Mattei