Garante per la protezione dei dati personali (Italy) - 9542155

From GDPRhub
Garante per la protezione dei dati personali - 9542155
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(2) GDPR
Article 9 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 14.01.2021
Fine: 18000 EUR
Parties: Azienda Usl di Bologna
National Case Number/Name: 9542155
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA (Garante per la protezione dei dati personali) imposed a fine of 18.000€ on the Local Health Authority of Bologna, for violating Articles 5(2)(f) and 9 GDPR.

English Summary

Facts

The data processor working for the company, inadvertently shared hospital discharge letters with related drug therapies from some patients with other patients by including them in the latter’s own Electronic Health Record.

Dispute

The Company has sent its defence explaining how they intervened to correct the problem.

Holding

The Italian DPA notes the unlawfulness of the processing of personal data carried out by the Local Health Authority of Bologna for violation of Articles 5(2)(f) and 9 GDPR. On the basis of Articles 58(2)(i) and 83 GDPR, the Garante imposed a fine of € 18 000 on the Local Health Authority of Bologna.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9542155]

Injunction order against Azienda Usl di Bologna - January 14, 2021

Register of measures
n. 11 of January 14, 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

GIVEN the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000;

Speaker prof. Pasquale Stanzione;

WHEREAS

1. The violation of personal data.

The Local Health Authority of Bologna (hereinafter the Company) has notified the Guarantor of a violation of personal data pursuant to art. 33 of the Regulation in relation to the report made on 29 August 2018 by the Oncology Department of the Bellaria Hospital about the complaints made by two patients in relation to the presence, on the FSE of the same, of a document containing the hospital discharge letters with related drug therapies of other patients belonging to the aforementioned department.

According to what is indicated in the aforementioned communication, the aforementioned erroneous insertion took place in 182 ESF, of which only 49 active. Given that indicated by the Company, only 14 subjects, of the 49 with active ESF, have actually viewed the document erroneously inserted in their ESF. Again according to what was stated in the aforementioned notification, only two general practitioners received the notifications relating to the inclusion in the FSE of their patients of a new document.

Furthermore, in the aforementioned notification it emerges that this event would have been generated by a manual error by a technician belonging to the "LOG80 company" and that, after about 6 hours from the aforementioned patient reports, the erroneously entered documents would have been deleted (notification of 4 September 2018, prot. n. 107095). Subsequently, the Company integrated the documentation relating to the aforementioned notification of violation (note 09/10/2018, prot. No. 121623).

2. The preliminary activity.

In relation to what was communicated by the Company, the Office requested information with a note dated 29.1.2019, prot. n. 3065, to which the Company has provided feedback with a note dated 4.3.2019, prot. n. 28152, representing, in particular, that:

- "the ascertained users who had accessed their ESF in the short period of time in which the erroneous documentation was present there are 14";

- "already after 6 hours and 30 minutes from the moment of taking charge of the report, the documents have been eliminated from the ESF in which they were erroneously filed";

- "the LOG80 company, as a precaution, declares that the incorrectly sent health documentation could, at most, refer to 182 subjects" and that "only 2 of the 14 citizens who could potentially have had access to the erroneous documentation through the ESF have, with certainty , made access to non-personal health documentation and coincide with the two patients who reported the anomaly ";

- «the company LOG80 is identified in charge of the treatment» by the company;

- «the communication to the interested parties has not been prepared so far as, pursuant to art. 34 GPDR, the risk for the rights and freedoms of citizens resulting from the violation was assessed as not high, both in consideration of the identified interested parties (...), and in consideration of the period of time taken (...) to adopt the immediate measure capable of containing the violation ".

The Office, with act no. 32245 of 03/13/2019, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by law n. 689 of 24/11/1981).

In particular, the Office, in the aforementioned deed, represented that, on the basis of the elements acquired and the facts that emerged as a result of the investigation, the Company carried out, by inserting 182 hospital discharge letters of third parties, a communication of data relating to the health of such interested parties to third parties in the absence of a suitable legal basis and, therefore, in violation of the basic principles of the treatment referred to in Articles 5 and 9 of the Regulations (Article 5, par. 1, letter f) of the Regulations).

With a note dated 11.4.2019 (prot.n.46587), the Company sent its defense briefs, in which additional elements were represented and in particular that:

- "From an immediate analysis of the incident, it was found that the error was due to a massive re-sending of the letters following recovery activities manually activated by a technician from the Log80 company on the afternoon of 28 August 2018". “As soon as they became aware of the problem, the technical representatives of the Company Information System Operating Unit alerted the technicians of the Company Log80 by telephone asking them to implement all the necessary measures to correct and promptly block the incorrect sending. In the meantime, the notification to the Log80 Company was formalized by email, which around 10.30 am on 29 August 2018 blocked the sending of documents in the SOLE / FSE flow and, on the recommendation of the Company Information System UO, he coordinated with the Cup 2000 technicians to understand how to amend the situation also as regards relations with general practitioners. At 12.31 pm, the Oncology Unit reported that another patient had received a letter from another patient on his FSE. The Log80 company activated the sending of the messages of cancellation of the wrong pdfs (sent between the afternoon of 28 August 2018 and 10.30 of 29 August 2018): at the same time Cup 2000 was involved to manage the SUN part. At 16.34 on 29 August 2018, the Company Log80 confirmed to the Company Information System Unit that: the technical problem that had generated the error had been solved; all pdfs had been deleted from the SOLE network; Cup 2000 had notified the cancellation to the General Practitioners involved; continued to carry out tests and checks before reactivating the flow of discharge letters to SOLE. At 16.53 on 29 August 2018, the Head of the Company Information System UO informed the Health Department, the Management of the Oncology UO and the contact person SOLE that the system was back up and running, except for sending the documents to SOLE ";

- "The potential patients (and related data) involved in the violation can be a maximum of 182. Of these potential 182, 49 have active FSE and of these 49 patients only 14 accessed their FSE between the afternoon of 28 August 2018 and the morning of 29 August 2018. Finally, there were 2 General Practitioners who downloaded the discharge letters relating to the patients concerned ";

- the company Log80 on the incident stated that: “Due to the report concerning the failure to send the letters to SOLE, we intervened to correct the problem. In this context, a bug has been introduced into the procedure which is illustrated below: the procedure usually sends automatically overnight all documents produced the previous day. In this case, a manual launch was carried out at the time indicated following the above report. The procedure links the pdf of the discharge letter with the pdf of the discharge therapy. Unfortunately, it could happen that, when processing the next patient, the document of the previous patient was not "reset", producing a single pdf document with the concatenation of the documents referring to several subsequent patients. The procedure was immediately stopped on the morning of 29 August 2018 following the first report received. For each submission made during the period, a cancellation message was sent to Cup 2000 as a precaution, resulting in the cancellation from the FSE. On the afternoon of August 29, all the documents were canceled ".

- "The Local Health Authority of Bologna on 21/07/2017 with note prot. n. 88591 appointed the company Log80 as external manager of the processing of personal data, pursuant to the previous Privacy Code, in relation to the contract for the acquisition of maintenance and assistance services for the management system in question ". "Subsequently, following the entry into force of EU Regulation 2016/679 and the amendments made to Legislative Decree no. 196/2003 by Legislative Decree n. 101/2018 the same company Log80 has been designated - with a note dated 13/02/2019, prot. n. 19222 - responsible for the processing of personal data pursuant to art. 28 of the Regulation ";

- "Following what happened, the Corporate Information System OU, with a view to implementing adequate corrective actions, scheduled a meeting with the Company Log80 on 23 October 2018 so that the Company could adopt the appropriate organizational measures aimed at minimizing the risk of verification of similar events ";

- "Subsequently, with a note dated February 15, 2019, the Information and Communication Technologies OU also asked the Company Log80 to give evidence of which training / organizational actions had in the meantime been adopted. In particular, the Company requested the implementation of explicit tests in a dedicated environment in order to verify the document content and the entire messaging process to be carried out before each restart phase that occurs following any system blocking events ". "The Company Log80 found the request with a note dated 28/02/2019, prot. n. 26/2019, producing a copy of the internal training report dated 25/09/2018 relating to the management of information security (Annex in documents); copy of corrective action no. 12/2018 produced by the internal management of Log80 (Annex in acts).

In relation to the Company's request, on 16 January 2020, at the Guarantor's Office, pursuant to art. 166, paragraphs 6 and 7, of the Code 18, paragraph 1, by law no. 689 of 24/11/1981 the hearing was held, during which the Company reiterated what had already been represented, specifying in particular that "following a report relating to the circumstance that the flow of data from the oncology management application provided by the company Log 80 and intended for the FSE, the Company involved the aforementioned supplier to reactivate the flow of conferral of documents to the regional FSE. The aforementioned company, restored the proper functioning of the computer system, in order to ensure that the dossiers were also fed with the clinical documents produced during the malfunctioning period of the management application, it checked which documents were not assigned to the ESF and identified a method for sending them to the regional infrastructure. In order to make this contribution, the aforementioned company regenerated the pdf. unsent documents, with the aim of sending them to the regional infrastructure. In this phase, due to a clerical error by the employee of the aforementioned company, in place of the creation of a single document in pdf. for each missing clinical document, a pdf file was generated. that queued more documents. It should be noted that the employee of the company Log 80 verified at the end of the file generation operation that the number of documents generated was consistent with the number of documents that had to be given to the ESF. In a short period of time, two interested parties, on whose FSE the aforementioned documents had been uploaded, reported this circumstance to the hospital medical staff, who proceeded to inform the company ICT Service, which intervened promptly in order to ensure the cancellation of the documents incorrectly entered in the (49 forty-nine) ESF. Checks subsequently carried out showed that in only 14 (fourteen) cases of the 49 (forty-nine) cases with active FSE the holder of the FSE had access to it in the short period in which the aforementioned documents were present and that only 2 (two) GPs had received in their file the notification concerning the presence of new documents in the ESF of their clients. Given the extreme speed of action with which the documents were deleted (approximately 6 (six) hours), it was not possible to verify whether in this short period of time the fourteen aforementioned holders actually had access to the erroneous documentation or, rather, had accessed their ESF for other reasons. Of these 14 (fourteen) cases that could potentially have accessed the aforementioned documentation erroneously included in their ESF,

During the hearing, the Company also represented that it had reported to the Emilia Romagna Region "the need to carry out checks - on the regional infrastructure side of the ESF - on the size of the documents by type that are uploaded to the files, compared to the average size of the files. documents normally sent ".

3. Outcome of the preliminary investigation.

Having taken note of what is represented by the Company in the documentation in deeds and in the defense briefs, it is noted that:

1. the Regulation, in establishing a general prohibition on the processing of particular categories of personal data, provides for a derogation in the event that the processing is necessary for the purposes of diagnosis, assistance and health therapy (Article 9, paragraph 2, lett. h) and par. 3 of the Regulation) and is carried out on the basis of the law of the Union or of the Member States (see in this regard Article 12, Legislative Decree 179/2012, Prime Ministerial Decree No. 178/2015). The processing of the personal data in question can be traced back to the cases indicated in art. 9, par. 2, lett. h) of the Regulations;

2. Due to an error, 182 third-party hospital discharge letters were inserted in 49 ESF, including the files of the two interested parties who reported the incident.

4. Conclusions.

In light of the aforementioned assessments, taking into account the statements made by the data controller and data processors during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, declares or falsely certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the deed initiation of the procedure, however, as none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, the unlawfulness of the processing of personal data carried out by the Bologna Usl Company under the terms set out in the motivation, for violation of articles 5, par. 2, lett. f), and 9 of the Regulations.

In this context, considering, in any case, that the conduct has exhausted its effects, given that the Company has declared that the procedure that led to the incorrect insertion of documents in the 14 ESF has been corrected, that the functioning of the IT system, in order to ensure that the dossiers are fed also with the clinical documents produced during the period of malfunction of the management application and that, once the documents not transferred to the ESF have been verified, a method has been identified for sending of the same to the regional infrastructure the conditions for the adoption of the corrective measures referred to in art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of articles 5, par. 2, lett. f) of the Regulations, caused by the conduct put in place by the Local Health Authority of Bologna, is subject to the application of a pecuniary administrative sanction pursuant to art. 83, paragraph 5, lett. a) of the Regulations.

It should be considered that the Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "inflict an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, according to the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is noted that:

- the Authority became aware of the event following the notification of personal data breach made by the same owner and no complaints or reports were received to the Guarantor on the incident (Article 83, paragraph 2, letter a) and h) of the Regulation);

- the data processing carried out by the Company, through the ESF, concerns data suitable for detecting information on the health of numerous interested parties. The event led to the insertion in 182 FSE (of which only 49 active) of hospital discharge letters from numerous subjects even if in only 14 (fourteen) cases, of the 49 (forty-nine) cases with active FSE, the holder of the FSE had access to it in the short period in which the aforementioned documents were present and that only 2 (two) GPs who had received in their folder the notification concerning the presence of new documents in the ESF of their clients had access to them (art. 4, par. 1, n.15 of the Regulations and art.83, par. 2, letters a) and g) of the Regulations);

- the absence of elements of voluntariness on the part of the Company in the cause of the event (Article 83, paragraph 2, letter b) of the Regulations);

- the limited temporal extension of the event and the immediate taking charge of the problem both by the Company's data processor and by the company IT technicians who were followed by the identification of corrective and resolving solutions (Article 5 , par. 2 and art.83, par. 2, letters c) and d) of the Regulation);

- the Company immediately demonstrated a high degree of cooperation, also informing the Emilia Romagna Region of the need to carry out checks - on the regional infrastructure side of the ESF - on the size of the documents by type that are loaded on the files, with respect the average size of the documents normally sent (Article 83, paragraph 2, letters c), d) and f) of the Regulations);

- the Company has already been the recipient of a warning pursuant to art. 57, par. 1, lett. a) of the Regulation, for the violation of the basic principles of processing, as per art. 5, par. 2, lett. f) and 9 of the Regulations (provision of 1 October 2020, n.176);

Based on the aforementioned elements, assessed as a whole, also taking into account the phase of first application of the sanctioning provisions pursuant to art. 22, paragraph 13, of the d. lgs. 10/08/2018, n. 101, it is believed that the amount of the pecuniary sanction envisaged by art. 83, par. 4, lett. a) and par. 5, lett. b) of the Regulations, to the extent of € 18,000 (eighteen thousand) for the violation of Articles 5, par. 1, lett. f) and 9 of the Regulation as a pecuniary administrative sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the potential number of interested parties and the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Bologna Usl Company, for the violation of art. 5, par. 1, lett. f) and 9 of the Regulations in the terms indicated in the motivation.

ORDER

pursuant to art. 58, par. 2, lett. i) and 83 of the Regulation, as well as art. 166 of the Code, to the Local Health Authority of Bologna with registered office in Bologna, via Castiglione, 29 - Tax ID / VAT number 02406911202, in the person of the pro-tempore legal representative, to pay the sum of 18,000 (eighteen thousand) euros by way of pecuniary administrative sanction for the violations indicated in this provision, according to the methods indicated in the annex, within 30 days from the notification of motivation; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed.

INJUNCES

to the aforementioned Company, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 18,000 (eighteen thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, January 14, 2021

THE PRESIDENT
Stanzione

THE RAPPORTEUR
Stanzione

THE SECRETARY GENERAL
Mattei