IMY (Sweden) - DI-2019-9457
|IMY (Sweden) - DI-2019-9457
|Article 32(1) GDPR
|Municipality of Uppsala
|National Case Number/Name:
|European Case Law Identifier:
|IMY (in SV)
The Swedish DPA imposed a fine of approximately €30,000 on a regional council for emailing unencrypted medical data to administrative bodies, researchers and physicians in violation of Article 32(1) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Uppsala regional authorities notified the Swedish DPA (Integritetsskyddsmyndigheten - IMY) that a personal data breach had occurred in their jurisdiction in 2019. Based on this notification, the Swedish DPA initiated an investigation into the medical data which the Uppsala Regional Council emailed to other entities. Although the emails sent were encrypted themselves, the medical data contained within the emails was not.
The IMY's audit covered two processing operations. The first refers to emails with patient data that were sent automatically to other health entities within the region for administration and quality assurance purposes (approximately 25 emails per month); the second refers to emails with patient data that were sent manually to researchers and physicians for research and quality monitoring purposes (approximately 200-250 per year). The files could contain data such as name, age, personal identity number, patient category, diagnosis codes, waiting times, date of contact, area of activity, department and county.
The IMY stated that the processing operations in total could have concerned between 100,000 and 500,000 individuals for the period between 2015 and 2019. However, its investigation only covered the time period between the entry into force of the GDPR in 2018, and the notification date of the data breach on 7 May 2019 (after which the processing operations were halted).
Holding[edit | edit source]
The IMY took into account Recital 75 and 76 GDPR in order to carry out an assessment of the responsibilities of the Regional Council (the controller in this case), according to the risks involved in the data it was processing. The IMY highlighted that this case involved large amounts of medical data, which is a special category of data with extra protections under Article 9 GDPR, including children’s data.
Because of the fact that the emails were encrypted but the actual medical data contained within them was not, the IMY noted that although the information could not be intercepted during the transmission itself, it could however be accessed by both authorised and unauthorised recipients after transmission took place.
According to the IMY, in the case of the automated emails, there was a certain risk that data could fall into the wrong hands if the system was updated incorrectly, and in the case of manually sent emails, that risk was even higher. In the IMY's view, the Regional Council should have adopted technical measures (such as encryption) in order to protect the medical data contained in the automated and manually sent emails from unauthorised disclosure or access, thereby ensuring an adequate level of data protection security. The IMY also noted that the local government of Uppsala had issued a policy document related to the handling of emails which specifically prohibited sending sensitive personal data by email, and therefore the council should have identified the risks posed through processing the data in this manner.
Therefore, the IMY held that the Regional Council had violated Article 32(1) GDPR by failing to incorporate appropriate technical and organisational measures to ensure a level of security appropriate to the risk represented by the processing, and issued a fine of 300,000 SEK (approximately €30,000) on the council.
Comment[edit | edit source]
The data breach notification in this case also generated a parallel investigation in which the IMY imposed a fine of approximately €150,000 on the Uppsala University Hospital for a violation of Articles 5(1)(f) and 32(1) GDPR by emailing unencrypted medical records to patients and hospitals abroad (IMY (Sweden) - DI-2021-5595).
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (10) The Regional Board of the Uppsala Region 751 85 Uppsala Record number: DI-2019-9457 Decision after supervision according to Date: the Data Protection Regulation against 2022-01-26 The Regional Board of the Uppsala Region Table of Contents The decision of the Integrity Protection Authority ................................................ ........................... 2 Report on the supervisory matter ............................................... ....................................... 2 The starting point for the supervision ............................................... ................................. 2 Information from the regional board ............................................... ............................... 2 The first category of personal data processing - e-mail as was sent automatically ................................................ ........................... 3 The second category of personal data processing - e-mail as sent manually ................................................ ................................... 3 Information relating to both personal data processing ......................... 4 Grounds for the decision ............................................... .................................................. ... 5 Applicable rules................................................ .................................................. .. 5 The responsibility of the personal data controller ............................................... ...... 5 The requirement for security in the processing of personal data, etc ..................... 5 IMY's assessment .............................................. .................................................. 6 Personal data responsibility ................................................. .............................. 6 Sensitive personal data has been sent unencrypted within the region .............. 6 Choice of intervention ............................................... .................................................. 7 Legal regulation ................................................ ....................................... 7 Imposition of a penalty fee ............................................... ..................... 7 How to appeal............................................... .................................................. ..... 10 Postal address: Box 8114 104 20 Stockholm Website: www.imy.se E-mail: firstname.lastname@example.org Phone: 08-657 61 00 Page 1 of 10, Integrity Protection Authority Record number: DI-2019-9457 2 (10) Date: 2022-01-26 The decision of the Integrity Protection Authority The Integrity Protection Authority (IMY) states that the Regional Board in the Uppsala Region (regional board) as the person responsible for personal data, during the period from 25 May 2018 until 7 May 2019, processed personal data in violation of Article 32 (1) of the Data Protection Regulation. This has been done by the regional board within the region sent sensitive personal data and social security numbers via e-mail. The transmission of e- the mail was encrypted but not the information in the emails. The treatment has also occurred in violation of Region Uppsala's own guidelines. This means that the regional board have not taken appropriate technical and organizational measures to ensure a level of safety appropriate to the risk of treatment. The IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Ordinance and Chapter 6. § 2 of the Data Protection Act that the regional board, for violation of Article 32 (1) i the Data Protection Regulation, shall pay an administrative penalty fee of 300,000 (three hundred thousand) kronor. Report on the supervisory matter The starting point for supervision IMY decided to initiate an investigation against the regional board after a report of personal data incident from the regional board on 7 May 2019. IMY's review covers two categories of personal data processing. The first category refers to emails with patient information sent automated to relevant care administrations within the Uppsala Region for, among other things administration and quality assurance. The second category refers to emails with patient information sent manually to researchers and doctors within the Uppsala Region for, among other things, research and quality monitoring. IMY has examined whether the personal data processing in the e-mail meets the requirements security provided for in Article 32 of the Data Protection Regulation. The Data Protection Ordinance came into force on 25 May 2018. IMY's supervision covers therefore the period from 25 May 2018 to 7 May 2019 (when notification was received). IMY has has not reviewed the measures that the regional board has stated that it has taken after the 7th May 2019. Information from the regional board The Regional Board has stated, among other things, the following. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with concerning the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation). 2The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation. Page 2 of 10, Integrity Protection Authority Record number: DI-2019-9457 3 (10) Date: 2022-01-26 The first category of personal data processing - e-mail sent automated The statistical database Cosmic Intelligence retrieved personal data from the main journal system Cosmic. The personal information was then retrieved by Business Objects that put the information in an excel file. The transfers took place automatically each month. Business Objects then sent the Excel files to the relevant healthcare administrations within the Uppsala Region, such as the University Hospital and the Hospital in Enköping. E- the mail messages were sent automatically every month to Region Uppsala's e-mail postal domains. The emails were sent only to authorized persons within it administration that was concerned within the Uppsala Region. The current excel files could contain all the information from the patient record, in addition to the running text from the patient record's free text field. Depending on the type of report, other information could also be included, such as waiting times and patient category. The Excel files also contained information about social security number, name, care unit and contact date. About 25 emails were sent each month to about a hundred recipients within The academic hospital's area of activity. Hundreds of transmitters and receivers within The Uppsala region had access to the personal data. The overall purpose of the processing of personal data has been administration, for example, to correct errors in the operations and to rectify them. In addition, the purpose has been to develop and ensure the quality of the business. The processing of personal data has been ongoing since 2015 until the Regional Board notification of the incident to IMY on May 7, 2019. The treatment was stopped completely in in connection with the discovery of the incident. The second category of personal data processing - e-mail sent manually The statistical database Cosmic Intelligence retrieved personal data from the main journal system Cosmic. The Diver output system then retrieved personal data from Cosmic Intelligence and the patient administration systems IMX and PAS. Socket of personal data was then done manually from Diver to Excel files. The manual the withdrawals were made by, among others, the system developer and the administrator at the regional office. These excel files were then sent to doctors when they had requested information for quality monitoring purposes and to researchers when requested research data. The emails were sent only to recipients who were employees within Region Uppsala, ie only to Region Uppsala's e- postal domains. This means that the emails were not sent to email addresses affiliated with Uppsala University. The Excel files could, among other things, contain information about social security numbers, diagnostic codes, contact date, area of activity, age, county, action code and department. The Excel files did not contain name information. The Excel files only concerned patients who were being treated at the Academic Hospital. Approximately 200−250 emails were sent per year. Hundreds of transmitters and recipients within the Uppsala Region had access to the personal data. The personal data was processed for administrative purposes and to develop and secure the quality of the business and for research purposes. Page 3 of 10, Integrity Protection Authority Record number: DI-2019-9457 4 (10) Date: 2022-01-26 The processing of personal data lasted from September 2014 until the regional board's notification about the incident to IMY on May 7, 2019. The treatment was stopped completely in connection with that the incident was discovered and work began to develop a solution for email encryption. Information concerning both personal data processing Personal data responsibility The Regional Board is responsible for personal data for the personal data processing that concerns compilation of data in Business Objects and for the processing that takes place at automatic transmission by e-mail. The processing takes place at the administration regional office, which is placed under the board's regional board. This assessment is made against given that the regional board is an independent administrative authority which determines the purpose and means of the processing of personal data. The Regional Board is also responsible for personal data for the processing that takes place in Diver and for the processing that takes place via the manual transmission via e-mail. The Regional Board has attached the documents Regulations for boards and committees in Uppsala Region and the Regional Board's delegation procedure. Control document According to Region Uppsala's governing document on handling mail and e-mail gets sensitive personal data is not communicated via e-mail. Categories of registered Categories of registered are employees, patients, children and persons with protection identity. In the case of employees, information about them only appears in sending and receiving e-mail addresses. The personal data processing affects a total of between 100,000 and 500,000 individuals for the period 2015−2019. Categories of users The categories of users who have access to the personal data are administrative personnel with access to source systems and storage areas. Encryption The transport (transmission) of e-mail within the region was encrypted though the information in the excel files was not protected by encryption. The transport of the e-mail was sent encrypted with the cryptographic the communication protocol TLS1.2 to recipients within the Uppsala Region. In the first processing of personal data, the Regional Board used a local e- mail server when transporting e-mail between Business Objects and recipients within the region. In the second reading, the Regional Board used Microsoft's Outlook for e- the mail. Page 4 of 10, Integrity Protection Authority Record number: DI-2019-9457 5 (10) Date: 2022-01-26 There were no technical protection measures to prevent reading and modification of the information in the excel files. There were also no protective measures in place to prevent that unauthorized persons took part in the information. Justification of the decision Applicable rules The responsibility of the personal data controller He who alone or together with others decides the purposes and means for the processing of personal data is the person responsible for personal data. It is stated in Article 4 (7) in the Data Protection Regulation. The person responsible for personal data is responsible for and must be able to show that the basics the principles of Article 5 of the Data Protection Regulation are complied with (Article 5 (2) of the Regulation). The person responsible for personal data is responsible for implementing appropriate technical and organizational measures to ensure and be able to demonstrate that the treatment is carried out in in accordance with the Data Protection Regulation. The measures shall be implemented taking into account the nature, scope, context and purpose of the treatment and the risks, of varying degrees of probability and seriousness, for the freedoms and rights of natural persons. The measures must be reviewed and updated as necessary. It is stated in Article 24 (1) (i) the Data Protection Regulation. The requirement for security in the processing of personal data, etc. Health information constitutes so-called sensitive personal data. It is forbidden to process such personal data in accordance with Article 9 (1) of the Data Protection Regulation, unless the treatment is not covered by any of the exceptions in Article 9 (2) of the Regulation. It follows from Article 32 of the Data Protection Regulation that the controller and the personal data assistant shall take appropriate technical and organizational measures to: ensure a level of safety that is appropriate in relation to the risk of the treatment. This must be done taking into account the latest developments, the implementation costs and the nature, scope, context and purpose of the treatment and the risks, of varying degrees of probability and seriousness, for the rights and freedoms of natural persons. In assessing the appropriate level of safety, special consideration shall be given to the risks involved the treatment entails, in particular from accidental or unlawful destruction, loss or change or to unauthorized disclosure of or unauthorized access to the personal data that transferred, stored or otherwise processed. It is clear from Article 32 (2) (i) the Data Protection Regulation. Recital 75 of the Data Protection Regulation sets out factors that must be taken into account in the assessment of the risk to the rights and freedoms of natural persons. Among other things, the loss of confidentiality of personal data covered by the obligation of professional secrecy and whether the treatment concerns information about health or sexual life. Furthermore, if the processing concerns personal data about vulnerable natural persons, in particular children, or if the processing involves a large number of personal data and applies to a large number of registered. Recitals 39 and 83 also provide guidance on the more detailed meaning of the requirements of the Data Protection Regulation on security when processing personal data. Page 5 of 10, Integrity Protection Authority Record number: DI-2019-9457 6 (10) Date: 2022-01-26 IMY's assessment Personal data responsibility The Regional Board has stated that it is responsible for personal data for the e- mail transfers described in the case, which is supported by the investigation in the case. IMY therefore assesses that the regional board is responsible for personal data for those concerned the treatments. Sensitive personal data has been sent unencrypted within the region The Regional Board has sent excel files with patient information within the region via e-mail. In the case of the first category of personal data processing, about 25 e-mails were sent mail messages automatically every month and for the second category about 200-250 emails were sent manually per year. The transmission of e- the entry within the region was encrypted but not the information in the excel files. The Regional Board has stated that sensitive personal data may not be communicated via e- mail according to Region Uppsala's governing document on handling mail and e-mail. As the person responsible for personal data, the regional board shall take appropriate technical and organizational measures to ensure an appropriate level of security in relation to the risks (Article 32 of the Data Protection Regulation). The personal data as treated must, for example, be protected against unauthorized disclosure or unauthorized access. What is the appropriate level of security varies in relation to, among other things, the risks for the rights and freedoms of natural persons arising from the treatment and the nature, scope, context and purpose of the treatment. In the assessment must it is taken into account, for example, what type of personal data is processed, to for example, in the case of health information. 3 The current Excel files contained personal health information that is sensitive personal data. Processing of sensitive personal data can mean significant risks to privacy. In addition, the excel files contained social security numbers 4 which are considered to be particularly personal data. The information in e- the mail messages were therefore of such a nature that they required strong protection. The transmission of the e-mail from the regional board was encrypted but not the information in the emails. This meant that the information in the excel files could not be intercepted (read) during the actual transfer. However, the information could be read in clear text by both authorized and unauthorized recipients after the transfer. At an automated transmission, there is a certain risk that data will fall into the wrong hands if the system would be updated incorrectly. In the case of a manual transfer of personal data, there is one more higher risk of the data falling into the wrong hands compared to an automated one transfer. This is because the person sending the information could write one incorrect recipient address. According to IMY's assessment, the regional board should have taken action technical measures, for example in the form of encryption, to protect the information in the automated and the manual e-mails against unauthorized disclosure or unauthorized access and thereby ensure an appropriate level of protection. According to the regional board, Region Uppsala's governing document on handling mail states and e-mail that sensitive personal data may not be communicated via e-mail. 3 4See recitals 75 and 76 of the Data Protection Regulation. See Article 87 of the Data Protection Ordinance and Chapter 3. Section 10 of the Data Protection Act. 5See the Swedish Data Inspectorate's report Reported personal data incidents 2019 (report 2020: 2). Page 6 of 10, Integrity Protection Authority Record number: DI-2019-9457 7 (10) Date: 2022-01-26 The Regional Board has thus identified the risks that the treatment of sensitive personal data in e-mail entails but has not taken sufficient measures to comply guidelines. IMY thus finds that the regional board has not taken the appropriate ones organizational measures required to ensure the safety of treatment. Overall, IMY finds that the Regional Board has not taken appropriate technical and organizational measures to ensure an appropriate level of security in in relation to the risk of the treatment. The Regional Board has therefore considered personal data in breach of Article 32 (1) of the Data Protection Regulation. Choice of intervention Legal regulation In the event of violations of the Data Protection Regulation, the IMY has a number of corrections powers available under Article 58 (2) (a) to (j) of the Data Protection Regulation, inter alia reprimand, injunction and penalty fees. IMY shall impose penalty fees in addition to or in lieu of other corrective actions referred to in Article 58 (2) of the Data Protection Regulation, depending on the circumstances of each individual case. Member States may lay down rules on whether and to what extent administrative penalty fees can be imposed on public authorities. It is clear from Article 83 (7) (i) Regulation. Sweden has accordingly decided that the supervisory authority shall receive charge sanction fees by authorities. For infringements of, inter alia, Article 32, the fee amounts to a maximum of SEK 5,000,000. It appears from ch. 6 Section 2 of the Data Protection Act and Article 83 (4) of the Data Protection Regulation. If a personal data controller or a personal data assistant, with respect to a and the same or interconnected data processing, intentionally or by negligence violates several of the provisions of this Regulation may it the total amount of the administrative penalty fee does not exceed the amount determined for the most serious infringement. It is clear from Article 83 (3) (i) the Data Protection Regulation. Each supervisory authority shall ensure that the imposition of administrative penalty fees in each individual case are effective, proportionate and dissuasive. The provided for in Article 83 (1) of the Data Protection Regulation. Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account in order to: decide whether to impose an administrative penalty fee, but also at determining the amount of the penalty fee. If it is a question of a smaller infringement may IMY as set out in recital 148 instead of imposing a issue a reprimand in accordance with Article 58 (2) (b) of the Regulation. Consideration shall taken to aggravating and mitigating circumstances in the case, such as the infringement character, degree of difficulty and duration as well as previous violations of relevance. Imposition of a penalty fee IMY has above assessed that the regional board has violated Article 32 (1) i the Data Protection Regulation. Infringements of that provision may, as stated above, give rise to penalty fees. Page 7 of 10, Integrity Protection Authority Record number: DI-2019-9457 8 (10) Date: 2022-01-26 The violations have taken place because the regional board has sent a large amount unencrypted patient data within the region via encrypted email. The personal information in the e-mail included sensitive personal information and social security number, which entailed a high risk to the data subjects' freedoms and rights. The treatments have taken place systematically and for a long time. The treatments have also occurred in violation of Region Uppsala's own guidelines. These factors mean overall that a penalty fee should be imposed. IMY states that the manual and the automatic transmission of e-mail constitute interconnected data processing within the meaning of Article 83 (3) (i) the Data Protection Regulation. This is because the treatments concern patient data such as was retrieved from the main journal system Cosmic for similar purposes such as administration and quality assurance. In addition, it is a matter of violation of the same provision, ie Article 32 (1) of the Regulation. In determining the size of the penalty fee, the IMY shall take into account both aggravating and mitigating circumstances and that the administrative penalty fee should be effective, proportionate and dissuasive. It is aggravating that the personal data processing has been going on for a long time, that is, during the period under review from 25 May 2018 to 7 May 2019, and that they have taken place systematically. It is also aggravating that the treatments included a large amount of health information that unauthorized persons have been able to access after the transfer. As for the first category of personal data processing, it has been about about 25 emails per month that unauthorized persons have been able to access and in the case of the second category, it has been around 200−250 e- mail messages per year. The Regional Board estimates that the personal data processing has in total touched between 100,000 and 500,000 individuals for the period 2015−2019. It is thus a question of a large number of registered during a year. Through the data processed, the data subjects can be identified directly through, for example, names, social security numbers and health information. IMY therefore considers that the nature, scope of the data and the dependency of the data subjects the regional board has a special responsibility to ensure appropriate protection for personal data, which did not happen. It is also aggravating that the treatments took place in violation of Region Uppsala's own guidelines that sensitive personal data should not be sent by e-mail. As mitigating circumstances, IMY considers that the transmission of the e-mail was encrypted and that the e-mail was sent internally within the region. This means that the regional board has taken certain measures in order to comply with the requirements and reduce them the risks of the treatments. IMY also considers that the regional board stopped the processing in connection with the notification of a personal data incident to IMY on 7 May 2019. IMY decides on the basis of an overall assessment that the regional board must pay one administrative sanction fee of SEK 300,000 (three hundred thousand). Page 8 of 10, Integrity Protection Authority Record number: DI-2019-9457 9 (10) Date: 2022-01-26 This decision was made by Director General Lena Lindgren Schelin after the presentation by lawyer Linda Hamidi. At the final hearing, the Chief Justice also has David Törngren, unit manager Malin Blixt and IT security specialist Ulrika Sundling participated. Lena Lindgren Schelin, 2022-01-26 (This is an electronic signature) Appendix Information on payment of penalty fee. Copy to The Data Protection Officer. Page 9 of 10, Integrity Protection Authority Record number: DI-2019-9457 10 (10) Date: 2022-01-26 How to appeal If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the date of the decision was announced. If the appeal has been received in time, send The Integrity Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact information can be found on the first page of the decision. Page 10 of 10