IMY (Sweden) - DI-2019-9457

From GDPRhub
IMY (Sweden) - DI-2019-9457
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 26.01.2022
Fine: 300000 SEK
Parties: Municipality of Uppsala
National Case Number/Name: DI-2019-9457
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: Elisavet Dravalou

The Swedish DPA imposed a fine of approximately €30,000 on a regional council for emailing unencrypted medical data to administrative bodies, researchers and physicians in violation of Article 32(1) GDPR.

English Summary

Facts

Uppsala regional authorities notified the Swedish DPA (Integritetsskyddsmyndigheten - IMY) that a personal data breach had occurred in their jurisdiction in 2019. Based on this notification, the Swedish DPA initiated an investigation into the medical data which the Uppsala Regional Council emailed to other entities. Although the emails sent were encrypted themselves, the medical data contained within the emails was not.

The IMY's audit covered two processing operations. The first refers to emails with patient data that were sent automatically to other health entities within the region for administration and quality assurance purposes (approximately 25 emails per month); the second refers to emails with patient data that were sent manually to researchers and physicians for research and quality monitoring purposes (approximately 200-250 per year). The files could contain data such as name, age, personal identity number, patient category, diagnosis codes, waiting times, date of contact, area of activity, department and county.

The IMY stated that the processing operations in total could have concerned between 100,000 and 500,000 individuals for the period between 2015 and 2019. However, its investigation only covered the time period between the entry into force of the GDPR in 2018, and the notification date of the data breach on 7 May 2019 (after which the processing operations were halted).

Holding

The IMY took into account Recital 75 and 76 GDPR in order to carry out an assessment of the responsibilities of the Regional Council (the controller in this case), according to the risks involved in the data it was processing. The IMY highlighted that this case involved large amounts of medical data, which is a special category of data with extra protections under Article 9 GDPR, including children’s data.

Because of the fact that the emails were encrypted but the actual medical data contained within them was not, the IMY noted that although the information could not be intercepted during the transmission itself, it could however be accessed by both authorised and unauthorised recipients after transmission took place.

According to the IMY, in the case of the automated emails, there was a certain risk that data could fall into the wrong hands if the system was updated incorrectly, and in the case of manually sent emails, that risk was even higher. In the IMY's view, the Regional Council should have adopted technical measures (such as encryption) in order to protect the medical data contained in the automated and manually sent emails from unauthorised disclosure or access, thereby ensuring an adequate level of data protection security. The IMY also noted that the local government of Uppsala had issued a policy document related to the handling of emails which specifically prohibited sending sensitive personal data by email, and therefore the council should have identified the risks posed through processing the data in this manner.

Therefore, the IMY held that the Regional Council had violated Article 32(1) GDPR by failing to incorporate appropriate technical and organisational measures to ensure a level of security appropriate to the risk represented by the processing, and issued a fine of 300,000 SEK (approximately €30,000) on the council.

Comment

The data breach notification in this case also generated a parallel investigation in which the IMY imposed a fine of approximately €150,000 on the Uppsala University Hospital for a violation of Articles 5(1)(f) and 32(1) GDPR by emailing unencrypted medical records to patients and hospitals abroad (IMY (Sweden) - DI-2021-5595).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                                                                                     1 (10)






                                                                     The Regional Board of the Uppsala Region
                                                                     751 85 Uppsala








Record number:
DI-2019-9457 Decision after supervision according to

Date: the Data Protection Regulation against
2022-01-26

                               The Regional Board of the Uppsala Region





                               Table of Contents

                               The decision of the Integrity Protection Authority ................................................ ........................... 2

                               Report on the supervisory matter ............................................... ....................................... 2

                                      The starting point for the supervision ............................................... ................................. 2

                                      Information from the regional board ............................................... ............................... 2

                                             The first category of personal data processing - e-mail as
                                             was sent automatically ................................................ ........................... 3

                                             The second category of personal data processing - e-mail as
                                             sent manually ................................................ ................................... 3

                                             Information relating to both personal data processing ......................... 4

                               Grounds for the decision ............................................... .................................................. ... 5

                                      Applicable rules................................................ .................................................. .. 5
                                             The responsibility of the personal data controller ............................................... ...... 5

                                             The requirement for security in the processing of personal data, etc ..................... 5

                                      IMY's assessment .............................................. .................................................. 6

                                             Personal data responsibility ................................................. .............................. 6

                                             Sensitive personal data has been sent unencrypted within the region .............. 6
                                      Choice of intervention ............................................... .................................................. 7

                                             Legal regulation ................................................ ....................................... 7

                                             Imposition of a penalty fee ............................................... ..................... 7

                               How to appeal............................................... .................................................. ..... 10
Postal address:
Box 8114
104 20 Stockholm
Website:

www.imy.se
E-mail:
imy@imy.se

Phone:
08-657 61 00


                                                             Page 1 of 10, Integrity Protection Authority Record number: DI-2019-9457 2 (10)
                               Date: 2022-01-26







                               The decision of the Integrity Protection Authority


                               The Integrity Protection Authority (IMY) states that the Regional Board in the Uppsala Region

                               (regional board) as the person responsible for personal data, during the period from 25 May 2018
                               until 7 May 2019, processed personal data in violation of Article 32 (1) of
                               the Data Protection Regulation. This has been done by the regional board within the region

                               sent sensitive personal data and social security numbers via e-mail. The transmission of e-
                               the mail was encrypted but not the information in the emails. The treatment has

                               also occurred in violation of Region Uppsala's own guidelines. This means that the regional board
                               have not taken appropriate technical and organizational measures to ensure a

                               level of safety appropriate to the risk of treatment.


                               The IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Ordinance and Chapter 6.
                               § 2 of the Data Protection Act that the regional board, for violation of Article 32 (1) i

                               the Data Protection Regulation, shall pay an administrative penalty fee of 300,000
                               (three hundred thousand) kronor.



                               Report on the supervisory matter


                               The starting point for supervision

                               IMY decided to initiate an investigation against the regional board after a report of

                               personal data incident from the regional board on 7 May 2019.


                               IMY's review covers two categories of personal data processing.

                               The first category refers to emails with patient information sent

                               automated to relevant care administrations within the Uppsala Region for, among other things
                               administration and quality assurance.


                               The second category refers to emails with patient information sent

                               manually to researchers and doctors within the Uppsala Region for, among other things, research and
                               quality monitoring.


                               IMY has examined whether the personal data processing in the e-mail meets the requirements
                               security provided for in Article 32 of the Data Protection Regulation.


                               The Data Protection Ordinance came into force on 25 May 2018. IMY's supervision covers
                               therefore the period from 25 May 2018 to 7 May 2019 (when notification was received). IMY has
                               has not reviewed the measures that the regional board has stated that it has taken after the 7th

                               May 2019.


                               Information from the regional board


                               The Regional Board has stated, among other things, the following.






                               Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with
                               concerning the processing of personal data and on the free movement of such data and on the repeal of
                               Directive 95/46 / EC (General Data Protection Regulation).
                               2The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation.



                                                             Page 2 of 10, Integrity Protection Authority Record number: DI-2019-9457 3 (10)
                               Date: 2022-01-26







                               The first category of personal data processing - e-mail sent
                               automated
                               The statistical database Cosmic Intelligence retrieved personal data from

                               the main journal system Cosmic. The personal information was then retrieved by Business
                               Objects that put the information in an excel file. The transfers took place automatically each

                               month. Business Objects then sent the Excel files to the relevant healthcare administrations
                               within the Uppsala Region, such as the University Hospital and the Hospital in Enköping. E-
                               the mail messages were sent automatically every month to Region Uppsala's e-mail

                               postal domains. The emails were sent only to authorized persons within it
                               administration that was concerned within the Uppsala Region.


                               The current excel files could contain all the information from the patient record,
                               in addition to the running text from the patient record's free text field. Depending on the type of

                               report, other information could also be included, such as waiting times and patient category.
                               The Excel files also contained information about social security number, name, care unit and

                               contact date.

                               About 25 emails were sent each month to about a hundred recipients within

                               The academic hospital's area of activity. Hundreds of transmitters and receivers within
                               The Uppsala region had access to the personal data.


                               The overall purpose of the processing of personal data has been administration,
                               for example, to correct errors in the operations and to rectify them. In addition,

                               the purpose has been to develop and ensure the quality of the business.


                               The processing of personal data has been ongoing since 2015 until the Regional Board
                               notification of the incident to IMY on May 7, 2019. The treatment was stopped completely in
                               in connection with the discovery of the incident.


                               The second category of personal data processing - e-mail sent

                               manually
                               The statistical database Cosmic Intelligence retrieved personal data from
                               the main journal system Cosmic. The Diver output system then retrieved personal data

                               from Cosmic Intelligence and the patient administration systems IMX and PAS. Socket
                               of personal data was then done manually from Diver to Excel files. The manual

                               the withdrawals were made by, among others, the system developer and the administrator at
                               the regional office. These excel files were then sent to doctors when they had requested
                               information for quality monitoring purposes and to researchers when requested

                               research data. The emails were sent only to recipients who were
                               employees within Region Uppsala, ie only to Region Uppsala's e-

                               postal domains. This means that the emails were not sent to email addresses
                               affiliated with Uppsala University.


                               The Excel files could, among other things, contain information about social security numbers, diagnostic codes,
                               contact date, area of activity, age, county, action code and department. The Excel files

                               did not contain name information. The Excel files only concerned patients who were being treated
                               at the Academic Hospital.


                               Approximately 200−250 emails were sent per year. Hundreds of transmitters and
                               recipients within the Uppsala Region had access to the personal data.


                               The personal data was processed for administrative purposes and to develop and secure
                               the quality of the business and for research purposes.




                                                            Page 3 of 10, Integrity Protection Authority Record number: DI-2019-9457 4 (10)
                               Date: 2022-01-26







                               The processing of personal data lasted from September 2014 until the regional board's notification
                               about the incident to IMY on May 7, 2019. The treatment was stopped completely in connection with
                               that the incident was discovered and work began to develop a solution for

                               email encryption.


                               Information concerning both personal data processing
                               Personal data responsibility


                               The Regional Board is responsible for personal data for the personal data processing that concerns
                               compilation of data in Business Objects and for the processing that takes place at

                               automatic transmission by e-mail. The processing takes place at the administration regional office,
                               which is placed under the board's regional board. This assessment is made against
                               given that the regional board is an independent administrative authority which

                               determines the purpose and means of the processing of personal data.


                               The Regional Board is also responsible for personal data for the processing that takes place in Diver
                               and for the processing that takes place via the manual transmission via e-mail.


                               The Regional Board has attached the documents Regulations for boards and committees in
                               Uppsala Region and the Regional Board's delegation procedure.


                               Control document


                               According to Region Uppsala's governing document on handling mail and e-mail gets sensitive
                               personal data is not communicated via e-mail.


                               Categories of registered


                               Categories of registered are employees, patients, children and persons with protection
                               identity. In the case of employees, information about them only appears in sending and

                               receiving e-mail addresses.

                               The personal data processing affects a total of between 100,000 and 500,000 individuals

                               for the period 2015−2019.

                               Categories of users


                               The categories of users who have access to the personal data are administrative

                               personnel with access to source systems and storage areas.

                               Encryption


                               The transport (transmission) of e-mail within the region was encrypted though

                               the information in the excel files was not protected by encryption.

                               The transport of the e-mail was sent encrypted with the cryptographic

                               the communication protocol TLS1.2 to recipients within the Uppsala Region.
                               In the first processing of personal data, the Regional Board used a local e-

                               mail server when transporting e-mail between Business Objects and recipients within
                               the region. In the second reading, the Regional Board used Microsoft's Outlook for e-
                               the mail.







                                                            Page 4 of 10, Integrity Protection Authority Record number: DI-2019-9457 5 (10)
                               Date: 2022-01-26






                               There were no technical protection measures to prevent reading and modification of

                               the information in the excel files. There were also no protective measures in place to prevent that
                               unauthorized persons took part in the information.


                               Justification of the decision


                               Applicable rules


                               The responsibility of the personal data controller
                               He who alone or together with others decides the purposes and means for

                               the processing of personal data is the person responsible for personal data. It is stated in Article 4 (7)
                               in the Data Protection Regulation.


                               The person responsible for personal data is responsible for and must be able to show that the basics
                               the principles of Article 5 of the Data Protection Regulation are complied with (Article 5 (2) of the Regulation).


                               The person responsible for personal data is responsible for implementing appropriate technical and
                               organizational measures to ensure and be able to demonstrate that the treatment is carried out in

                               in accordance with the Data Protection Regulation. The measures shall be implemented taking into account
                               the nature, scope, context and purpose of the treatment and the risks, of
                               varying degrees of probability and seriousness, for the freedoms and rights of natural persons.

                               The measures must be reviewed and updated as necessary. It is stated in Article 24 (1) (i)
                               the Data Protection Regulation.


                               The requirement for security in the processing of personal data, etc.
                               Health information constitutes so-called sensitive personal data. It is forbidden to

                               process such personal data in accordance with Article 9 (1) of the Data Protection Regulation, unless
                               the treatment is not covered by any of the exceptions in Article 9 (2) of the Regulation.


                               It follows from Article 32 of the Data Protection Regulation that the controller and
                               the personal data assistant shall take appropriate technical and organizational measures to:

                               ensure a level of safety that is appropriate in relation to the risk of the treatment.
                               This must be done taking into account the latest developments, the implementation costs
                               and the nature, scope, context and purpose of the treatment and the risks, of

                               varying degrees of probability and seriousness, for the rights and freedoms of natural persons.

                               In assessing the appropriate level of safety, special consideration shall be given to the risks involved

                               the treatment entails, in particular from accidental or unlawful destruction, loss or
                               change or to unauthorized disclosure of or unauthorized access to the personal data that
                               transferred, stored or otherwise processed. It is clear from Article 32 (2) (i)

                               the Data Protection Regulation.


                               Recital 75 of the Data Protection Regulation sets out factors that must be taken into account in the assessment
                               of the risk to the rights and freedoms of natural persons. Among other things, the loss of
                               confidentiality of personal data covered by the obligation of professional secrecy and whether

                               the treatment concerns information about health or sexual life. Furthermore, if
                               the processing concerns personal data about vulnerable natural persons, in particular children,
                               or if the processing involves a large number of personal data and applies to a large

                               number of registered.

                               Recitals 39 and 83 also provide guidance on the more detailed meaning of

                               the requirements of the Data Protection Regulation on security when processing personal data.




                                                            Page 5 of 10, Integrity Protection Authority Record number: DI-2019-9457 6 (10)
                                 Date: 2022-01-26






                                 IMY's assessment



                                 Personal data responsibility
                                 The Regional Board has stated that it is responsible for personal data for the e-
                                 mail transfers described in the case, which is supported by the investigation in the case. IMY

                                 therefore assesses that the regional board is responsible for personal data for those concerned
                                 the treatments.


                                 Sensitive personal data has been sent unencrypted within the region

                                 The Regional Board has sent excel files with patient information within the region via e-mail.
                                 In the case of the first category of personal data processing, about 25 e-mails were sent

                                 mail messages automatically every month and for the second category
                                 about 200-250 emails were sent manually per year. The transmission of e-

                                 the entry within the region was encrypted but not the information in the excel files.


                                 The Regional Board has stated that sensitive personal data may not be communicated via e-
                                 mail according to Region Uppsala's governing document on handling mail and e-mail.


                                 As the person responsible for personal data, the regional board shall take appropriate technical and

                                 organizational measures to ensure an appropriate level of security in
                                 relation to the risks (Article 32 of the Data Protection Regulation). The personal data as

                                 treated must, for example, be protected against unauthorized disclosure or unauthorized access.

                                 What is the appropriate level of security varies in relation to, among other things, the risks for

                                 the rights and freedoms of natural persons arising from the treatment and
                                 the nature, scope, context and purpose of the treatment. In the assessment must

                                 it is taken into account, for example, what type of personal data is processed, to
                                 for example, in the case of health information. 3


                                 The current Excel files contained personal health information that is sensitive

                                 personal data. Processing of sensitive personal data can mean significant
                                 risks to privacy. In addition, the excel files contained social security numbers
                                                                                          4
                                 which are considered to be particularly personal data. The information in e-
                                 the mail messages were therefore of such a nature that they required strong protection.


                                 The transmission of the e-mail from the regional board was encrypted but not the information in

                                 the emails. This meant that the information in the excel files could not be intercepted
                                 (read) during the actual transfer. However, the information could be read in clear text by
                                 both authorized and unauthorized recipients after the transfer. At an automated

                                 transmission, there is a certain risk that data will fall into the wrong hands if the system
                                 would be updated incorrectly. In the case of a manual transfer of personal data, there is one more

                                 higher risk of the data falling into the wrong hands compared to an automated one
                                 transfer. This is because the person sending the information could write one

                                 incorrect recipient address. According to IMY's assessment, the regional board should have taken action
                                 technical measures, for example in the form of encryption, to protect the information in the

                                 automated and the manual e-mails against unauthorized disclosure or
                                 unauthorized access and thereby ensure an appropriate level of protection.


                                 According to the regional board, Region Uppsala's governing document on handling mail states

                                 and e-mail that sensitive personal data may not be communicated via e-mail.

                                 3
                                 4See recitals 75 and 76 of the Data Protection Regulation.
                                  See Article 87 of the Data Protection Ordinance and Chapter 3. Section 10 of the Data Protection Act.
                                 5See the Swedish Data Inspectorate's report Reported personal data incidents 2019 (report 2020: 2).


                                                               Page 6 of 10, Integrity Protection Authority Record number: DI-2019-9457 7 (10)
                                Date: 2022-01-26






                                The Regional Board has thus identified the risks that the treatment of sensitive

                                personal data in e-mail entails but has not taken sufficient measures to comply
                                guidelines. IMY thus finds that the regional board has not taken the appropriate ones

                                organizational measures required to ensure the safety of treatment.

                                Overall, IMY finds that the Regional Board has not taken appropriate technical and

                                organizational measures to ensure an appropriate level of security in
                                in relation to the risk of the treatment. The Regional Board has therefore considered
                                personal data in breach of Article 32 (1) of the Data Protection Regulation.


                                Choice of intervention


                                Legal regulation

                                In the event of violations of the Data Protection Regulation, the IMY has a number of corrections
                                powers available under Article 58 (2) (a) to (j) of the Data Protection Regulation, inter alia
                                reprimand, injunction and penalty fees.


                                IMY shall impose penalty fees in addition to or in lieu of other corrective actions
                                referred to in Article 58 (2) of the Data Protection Regulation, depending on the circumstances of

                                each individual case.


                                Member States may lay down rules on whether and to what extent administrative
                                penalty fees can be imposed on public authorities. It is clear from Article 83 (7) (i)
                                Regulation. Sweden has accordingly decided that the supervisory authority shall receive

                                charge sanction fees by authorities. For infringements of, inter alia, Article 32,
                                the fee amounts to a maximum of SEK 5,000,000. It appears from ch. 6 Section 2 of the Data Protection Act

                                and Article 83 (4) of the Data Protection Regulation.

                                If a personal data controller or a personal data assistant, with respect to a

                                and the same or interconnected data processing, intentionally or by
                                negligence violates several of the provisions of this Regulation may it
                                the total amount of the administrative penalty fee does not exceed the amount determined

                                for the most serious infringement. It is clear from Article 83 (3) (i)
                                the Data Protection Regulation.


                                Each supervisory authority shall ensure that the imposition of administrative
                                penalty fees in each individual case are effective, proportionate and dissuasive. The

                                provided for in Article 83 (1) of the Data Protection Regulation.

                                Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account in order to:

                                decide whether to impose an administrative penalty fee, but also at
                                determining the amount of the penalty fee. If it is a question of a smaller

                                infringement may IMY as set out in recital 148 instead of imposing a
                                issue a reprimand in accordance with Article 58 (2) (b) of the Regulation. Consideration shall
                                taken to aggravating and mitigating circumstances in the case, such as the infringement

                                character, degree of difficulty and duration as well as previous violations of relevance.


                                Imposition of a penalty fee
                                IMY has above assessed that the regional board has violated Article 32 (1) i
                                the Data Protection Regulation. Infringements of that provision may, as stated above,

                                give rise to penalty fees.






                                                              Page 7 of 10, Integrity Protection Authority Record number: DI-2019-9457 8 (10)
                               Date: 2022-01-26







                               The violations have taken place because the regional board has sent a large amount
                               unencrypted patient data within the region via encrypted email.
                               The personal information in the e-mail included sensitive personal information and

                               social security number, which entailed a high risk to the data subjects' freedoms and rights.
                               The treatments have taken place systematically and for a long time. The treatments have

                               also occurred in violation of Region Uppsala's own guidelines. These factors mean
                               overall that a penalty fee should be imposed.


                               IMY states that the manual and the automatic transmission of e-mail
                               constitute interconnected data processing within the meaning of Article 83 (3) (i)

                               the Data Protection Regulation. This is because the treatments concern patient data such as
                               was retrieved from the main journal system Cosmic for similar purposes such as
                               administration and quality assurance. In addition, it is a matter of violation of

                               the same provision, ie Article 32 (1) of the Regulation.


                               In determining the size of the penalty fee, the IMY shall take into account both aggravating and
                               mitigating circumstances and that the administrative penalty fee should be
                               effective, proportionate and dissuasive.


                               It is aggravating that the personal data processing has been going on for a long time,

                               that is, during the period under review from 25 May 2018 to 7 May 2019,
                               and that they have taken place systematically. It is also aggravating that the treatments included
                               a large amount of health information that unauthorized persons have been able to access after the transfer.

                               As for the first category of personal data processing, it has been about
                               about 25 emails per month that unauthorized persons have been able to access and
                               in the case of the second category, it has been around 200−250 e-

                               mail messages per year. The Regional Board estimates that
                               the personal data processing has in total touched between 100,000 and 500,000

                               individuals for the period 2015−2019. It is thus a question of a large number of registered
                               during a year. Through the data processed, the data subjects can be identified directly
                               through, for example, names, social security numbers and health information. IMY therefore considers that

                               the nature, scope of the data and the dependency of the data subjects
                               the regional board has a special responsibility to ensure appropriate protection for

                               personal data, which did not happen.

                               It is also aggravating that the treatments took place in violation of Region Uppsala's own

                               guidelines that sensitive personal data should not be sent by e-mail.


                               As mitigating circumstances, IMY considers that the transmission of the e-mail was
                               encrypted and that the e-mail was sent internally within the region. This means that
                               the regional board has taken certain measures in order to comply with the requirements and reduce them

                               the risks of the treatments. IMY also considers that the regional board stopped
                               the processing in connection with the notification of a personal data incident to IMY on 7 May

                               2019.

                               IMY decides on the basis of an overall assessment that the regional board must pay one

                               administrative sanction fee of SEK 300,000 (three hundred thousand).












                                                             Page 8 of 10, Integrity Protection Authority Record number: DI-2019-9457 9 (10)
                               Date: 2022-01-26







                               This decision was made by Director General Lena Lindgren Schelin after the presentation
                               by lawyer Linda Hamidi. At the final hearing, the Chief Justice also has David

                               Törngren, unit manager Malin Blixt and IT security specialist Ulrika Sundling
                               participated.





                               Lena Lindgren Schelin, 2022-01-26 (This is an electronic signature)




                               Appendix

                               Information on payment of penalty fee.

                               Copy to

                               The Data Protection Officer.
























































                                                             Page 9 of 10, Integrity Protection Authority Record number: DI-2019-9457 10 (10)
                              Date: 2022-01-26






                              How to appeal


                              If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i

                              the letter which decision you are appealing and the change you are requesting. The appeal shall
                              have been received by the Privacy Protection Authority no later than three weeks from the date of the decision
                              was announced. If the appeal has been received in time, send

                              The Integrity Protection Authority forwards it to the Administrative Court in Stockholm
                              examination.


                              You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                              any privacy-sensitive personal data or data that may be covered by
                              secrecy. The authority's contact information can be found on the first page of the decision.


























































                                                          Page 10 of 10