IMY (Sweden) - IMY-2022-695
From GDPRhub
| IMY - IMY-2022-695 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 4(15) GDPR Article 9(1) GDPR Article 32(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.01.2023 |
| Published: | |
| Fine: | 200000 SEK |
| Parties: | n/a |
| National Case Number/Name: | IMY-2022-695 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | hanna.vir |
The Swedish DPA imposed a fine of approximately €1.800 on Region Dalarna for failing to implement adequate safety measures to protect special categories of data against unauthorised disclosure when sending written summons to health care visits by mail.
English Summary
Facts
The DPA initiated the case after a complaint from a data subject who stated that they had received a summons to a healthcare visit by mail with the healthcare facility and the fact that the letter inside concerned a summons to a health care visit fully visible in the window envelope.
The DPA limited the case to summons sent from three healthcare facilities that offer specialist care for children and youth ages 0-17 years old with mental health issues and sleep disorders and whether the controller Region Dalarna had implemented appropriate technical and organisational measures according to article 32(1) GDPR when sending the summons to healthcare visits.
In the case it is established that summons to health care visits sent by mail from these healthcare facilities had the following information fully visible in the window envelope: information that the letter inside concerned a summons to a healthcare visit, name of the data subject, address, and name of healthcare facility. This meant that this information had been exposed to staff handling the mail, other members of the same household and persons receiving the letter that was delivered to the wrong address.
The controller had engaged a processor with the task of digitally receiving information about the summonses, printing them, and sending them by mail. The controller had identified the risk that personal data other than the address might become visible in the window envelope and therefore purchased an additional service to hide information in the window envelope. However, upon further investigation by the controller this additional service only applied to summonses that were maximum five A4-pages. Other summonses were sent in window envelopes with for instance the healthcare facility fully visible. This concerned 2 500 mailings per year.
Holding
The DPA held first that the sending of physical summons to health care visits by mail constituted processing of personal data partly by automated means and that the GDPR therefore was applicable.
The DPA assessed that a summons to one of the three healthcare facilities included in the case constituted data concerning health according to article 4(15) GDPR, and therefore also constituted special categories of data according to article 9(1) GDPR, because of the specific care that these healthcare facilities provided (specialist care for children and youth ages 0-17 years old with mental health issues and sleep disorders).
The DPA then determined that for the controller to have implemented adequate safety measures, the data concerning health should have been hidden in the window envelope. The controller had therefore violated article 32(1) GDPR by not concealing data concerning health in the window envelope.
The DPA noted that although the controller had taken measures to prevent the disclosure of personal data by purchasing an additional service to hide information, the controller should have ensured that the service functioned as intended by the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(8)
The Health and Medical Services Board in Region Dalarna
Diary number:
IMY-2022-695 Decision after supervision according to
Your diary number: data protection regulation - Health and
HSN 2022/1069
the health care board in Region Dalarna
Date:
2023-01-17
The Privacy Protection Authority's decision
The Swedish Privacy Agency (IMY) notes that the Health and Medical Board i
Region Dalarna (the board) from 6 May 2021 to and including 6 July 2022 has
processed personal data in violation of article 32.1 of the data protection regulation, by
not to take appropriate technical and organizational measures to ensure a
appropriate level of protection in connection with the sending of physical invitations to certain care visits
within Region Dalarna.
2
IMY decides with the support of ch. 6. Section 2 of the Data Protection Act and Articles 58.2 and 83 i
the data protection regulation that the board must pay an administrative sanction fee of
200,000 (two hundred thousand) kroner.
Account of the supervisory matter
IMY has initiated supervision of the committee due to information that emerged in one
complaint from a person who, on 6 May 2021, received an invitation via letter to a healthcare visit
within Region Dalarna. The complaint states that the summons was in a window envelope and that
information that it was a summons, the complainant's name and address and the care facility
ning the summons was fully visible in the window of the envelope. The purpose of IMY's supervision is to
investigate the board's processing of personal data in connection with the use of
the current type of window envelope for invitations to health care visits meets the requirements for
security in connection with the processing according to article 32 of the data protection regulation.
Within the framework of the supervisory matter, IMY has only reviewed the committee's mailing of summonses
regarding the Child and Adolescent Medical Clinic Mora, Call Center
children and young people Falun and the Sleep Laboratory in Avesta.
The board has essentially stated the following. The committee is a healthcare provider and personal
Postal address: responsible for the personal data processing that the supervision refers to. Summons from
Box 8114
Region Dalarna is sent using Postnord Strålfors AB's (Strålfors) function
104 20 Stockholm e-LETTER. The notices are sent securely in digital format from Region Dalarna's journal system
Website: to Strålfors, which mechanically prints, envelopes and sends the invitation to the addressee.
www.imy.se
Email: 1
imy@imy.se Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
Telephone: Directive 95/46/EC (General Data Protection Regulation). the free flow of such data and on the cancellation of
2 The Act (2018:218) with supplementary provisions to the EU's data protection regulation.
08-657 61 00 The Swedish Privacy Agency Diary number: IMY-2022-695 2(8)
Date: 2023-01-17
The board identified the risk of using double windows when the service
was procured and therefore bought an additional service which means that envelopes which only
contains a window with the recipient's address to be used. On these envelopes is written
Region Dalarna's postal address printed where the sender's address is usually placed and
the name of the clinic/department that sent the summons is therefore not shown. The board's
opinion is that the sending clinic should not appear on the envelope.
In a statement to IMY dated 28 April 2022, the board stated that it had started a
investigation together with Strålfors. In an opinion dated 16 June 2022, the board stated i
mainly the following. It is unclear when the committee started sending summons where the patient's
name and the care facility to which the summons refers appear on the window of the envelope.
The investigation shows that the additional service where the sender is hidden only applies to sending
of a maximum of five A4 sheets. If the mailing contains more A4 sheets, a larger envelope is required
be used and then there are no customer-unique envelopes in the assignment that has been signed
eBREV, standard envelopes with two windows are used instead. In the same opinion stated
the committee that the investigative work to review the flow regarding the sending of summonses via
eBREV and risks linked to these that could generate a personal data-
incident in progress. In parallel with this, a discussion is being held with Strålfors about the need to
renegotiate the customer assignment to ensure that the correct type of envelope, with hidden
sender, used for all mailings.
In an opinion dated June 16, 2022, the board stated that the treatment that is
subject to supervision had not ceased. In a supplement that the board submitted to IMY
on July 6, 2022, it was stated that the board, until an agreement is reached
with Strålfors, will change the template for invitations to visit the three units
(Children's and youth medicine clinic Mora, Children's and youth consultation clinic
young Falun and the Sleep Laboratory in Avesta) that have been identified send invitations with
attachments exceeding five A4 sheets. The board has attached a picture that shows that
the invitations will be sent in an envelope with two windows, where Region Dalarnas
postal address appears in one window and information that it is a visit
via video link and the patient's name and address in the second.
In an opinion dated August 9, 2022, the board stated that previous answers have been deleted
from invitations sent through the Take Care IT system. It is about 2,500
summons per year, which corresponds to 0.5 percent of the total number of summons sent
through the current system.
Justification of the decision
Applicable regulations
Scope of the Data Protection Regulation
Article 2.1 of the data protection regulation states that the regulation must be applied to
such processing of personal data that is fully or partially carried out automatically
as well as on other than automatic processing of personal data that is part of or will be
to be included in a register.
In doctrinanges that because the data protection regulation includes partially automated
processing of personal data, the regulation is applicable in the case of disclosure on paper of
personal data that is in data format. Furthermore, the Chancellor of Justice has assessed that
3 See Öhman, Data Protection Regulation (GDPR) etc. (October 13, 2022, Version 2A, JUNO), Comment to Article
2.1 subheading Automated processing. The Swedish Privacy Agency Diary number: IMY-2022-695 3(8)
Date: 2023-01-17
the expression "fully or partially automated processing of personal data" in the present
the repealed Personal Data Act (1998:204) covered the sending of documents by post
when the underlying processing of the personal data was automated. 4
Personal data is defined in Article 4.1 of the Data Protection Regulation as any information
which refers to an identified or identifiable natural person.
Processing is defined in Article 4.2 of the Data Protection Regulation as an action or
combination of measures concerning personal data or sets of
personal data, regardless of whether it is performed automatically or not, such as collection,
registration, organization, structuring, storage, processing or modification,
production, reading, use, disclosure by transmission, dissemination or
otherwise providing, adjusting or combining, limiting, erasing
or destruction.
Personal data responsibility and the principle of accountability
According to Article 4.7 of the data protection regulation, the person in charge of personal data means a
natural or legal person, public authority, institution or other body which
alone or together with others determines the purposes and means of treatment
ling of personal data. If the purposes and means of the processing are determined by
Union law or the national law of the Member States can the personal data controller
or the special criteria for how he is to be appointed are prescribed in Union law or in
national law of the Member States.
According to ch. 2 Section 6 of the Patient Data Act (2008:355), PDL, is a care provider personal data-
responsible for the processing of personal data carried out by the care provider. In a region or
a municipality is any authority that provides health care personal data-
responsible for the processing of personal data carried out by the authority.
According to Article 5.2 of the Data Protection Regulation, the person in charge of personal data shall be responsible
for and be able to demonstrate that the principles in Article 5.1 are complied with (the principle of
liability).
The personal data controller is responsible for implementing appropriate technical and
organizational measures to ensure and be able to demonstrate that the processing is carried out in
in accordance with the data protection regulation. The measures must be implemented taking into account
the nature, scope, context and purpose of the processing and the risks, of
varying degrees of probability and seriousness, for the freedoms and rights of natural persons.
The measures must be reviewed and updated if necessary. It appears from Article 24.1 i
data protection regulation.
Data on health
Information about health is defined in Article 4.15 of the Data Protection Regulation as personal
data relating to a natural person's physical or mental health, including
provision of healthcare services, which provide information about his
health status. Information about health constitutes so-called sensitive personal data. It is
prohibited to process such personal data according to Article 9.1 of the Data Protection Ordinance
ning, unless the processing is covered by one of the exceptions in Article 9.2 i
the regulation.
4See JK decision 2020-05-18, dnr 3850-19-4.3.2. Data Protection Agency Diary number: IMY-2022-695 4(8)
Date: 2023-01-17
Recital 35 of the data protection regulation states the following. Personal information about health should
include all the information relating to a registered person's state of health which
provides information about the data subject's past, present or future physical or
mental health conditions. This includes information about the natural person who
collected in connection with registration for or provision of health and
healthcare services to the natural person according to the European Parliament and the Council
directive 2011/24/EU, a number, a symbol or a characteristic such as the physical
the person assigned to identify him for health care purposes, data
arising from tests or examination of a body part or body substance,
including genetic information and biological samples, and other information about, for example
disease, disability, risk of disease, medical history, clinical treatment or the
recorded physiological or biomedical conditions, regardless of the source, for example
show from a doctor or other healthcare professional, a hospital, a medical technician
product or an in vitro diagnostic test.
In the case Lindqvist (C-101/01, EU:C:2003:596, point 51), the Court of Justice of the EU has determined that
information that a person has injured their foot and is on part-time sick leave constitutes a person-
data relating to health according to the data protection directive (the directive was repealed by
data protection regulation). The European Court of Justice stated in the case that with regard to the purpose of
the data protection directive, the expression "data relating to health" should be given a broad interpretation and
considered to include data relating to all aspects of a person's health, both physical and
psychological ones (see point 50). The European Court of Justice has further in a later ruling
Vyriausioji tarnybinės etikos komisiya (C-184/20, EU:C:2022:601) stated that
the concept of sensitive personal data according to article 9.1 of the data protection regulation shall
interpreted broadly and judged that even personal data that indirectly reveals a physical
a person's sexual orientation constitutes sensitive personal data according to the person in question
the provision.
The European Data Protection Board (EDPB) has stated that the concept of health data
according to the data protection regulation must be interpreted broadly against the background of, among other things, EU
the court's judgment in the Lindqvist case and as it appears from reason 53 of the data protection
the regulation that information about health deserves extensive protection. IMY has in one
legal position deemed that information about guardianship according to the parental code
are information about health (IMYRS 2022:3).
The requirement for security when processing personal data
It follows from Article 32.1 of the data protection regulation that the personal data controller and
the personal data assistant must take appropriate technical and organizational measures to
ensure a level of safety that is appropriate in relation to the risk of the treatment.
It must take into account the latest developments, implementation costs
and the nature, scope, context and purpose of the processing as well as the risks, of
varying degree of probability and seriousness, for the rights and freedoms of natural persons.
When assessing the appropriate security level, special consideration must be given to the risks that
the processing entails, in particular from accidental or illegal destruction, loss or
alteration or unauthorized disclosure of or unauthorized access to personal data which
transferred, stored or otherwise processed. It appears from Article 32.2 i
data protection regulation.
5Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
regarding the processing of personal data and the free flow of such data.
6See the EDPB's guidelines 03/2020 on the processing of data on health for scientific research purposes in connection
with the covid-19 outbreak, p. 5. The Swedish Privacy Agency Diary number: IMY-2022-695 5(8)
Date: 2023-01-17
Recital 75 of the data protection regulation states factors that must be taken into account in the assessment
of the risk to the rights and freedoms of natural persons. Loss of, among other things, is mentioned
confidentiality with regard to personal data subject to confidentiality and whether
the processing concerns information about health or sexual life. Further must be taken into account
the processing concerns personal data about vulnerable natural persons, especially children,
or if the processing involves a large number of personal data and applies to a large
number of registrants.
In recital 76 of the data protection regulation, it is stated that how likely and serious the risk is to it
data subject's rights and freedoms should be determined based on the nature of the processing,
scope, context and purpose. The risk should be evaluated on the basis of a
objective assessment, through which it is determined whether the data processing includes
a risk or high risk.
If the personal data controller hires a personal data assistant to carry out a
processing, the personal data controller shall only employ personal data assistants who
provides sufficient guarantees to implement appropriate technical and organizational
measures. It must take place in such a way that the processing meets the requirements of
data protection regulation and that the data subject's rights are protected. It appears from
article 28.1 and recital 81 of the data protection regulation.
The Swedish Privacy Protection Authority's assessment
The investigation into the matter shows that the board during the period from 6 May 2021 to and including
on 6 July 2022 has used a service for sending physical letters which meant that
some invitations to health care visits have been sent out in window envelopes with information that it is
a summons, the patient's name and address and the care facility to which the visit relates
were fully visible.
The Data Protection Regulation is applicable
The information in the summons that was visible through the window envelopes refers to
identified persons. It is therefore a matter of personal data. The board's
processing of the personal data consists of a series of measures where the board's
disclosure of personal data by physical mail has been a part. The underlying part
of the process, which, among other things, means that invitations are sent in digital format from
Region Dalarna's journal system is automated. IMY therefore assesses that it is a question
about a partially automated processing of personal data covered by
scope of application of the data protection regulation.
Personal data responsibility
The board has stated that it is the healthcare provider responsible for personal data for that treatment
of personal data in the event of invitations to healthcare visits within the Dalarna Region that are subject to
supervision, which is supported by the other investigation in the case. IMY therefore assesses that
the committee is responsible for personal data for the current processing.
The treatment involved a high risk
As a personal data controller, the board must, according to Article 32.1 of the Data Protection Ordinance,
ning, take appropriate technical and organizational measures to ensure a
appropriate level of security in relation to the risks involved in processing personal data. The
also applies when personal data is processed by a personal data processor. IMY does
the following assessment of the risks of the treatment in question. The Swedish Privacy Agency Diary number: IMY-2022-695 6(8)
Date: 2023-01-17
According to information from the board, summonses that have shown sender reception have been sent
from the Child and Adolescent Medicine Clinic Mora, Children's Call Center
and young Falun and the Sleep Laboratory in Avesta. The investigation into the matter shows that
the receptions offer care for children and young people aged 0–17 with illnesses and
illness that requires more specialist knowledge and resources than is normally available
care centre, help for children and young people up to 17 years of age with mild to moderate mental illness
respective investigation and treatment of various sleep disorders.
IMY states that the concept of health must be interpreted broadly and assesses that the care which
given at the care facilities in question is so specific that an invitation to visit someone
of these receptions may be considered to provide information about the individual's physical or
mental health conditions.
Against this background, IMY assesses that the information regarding these care facilities,
which were fully visible at the time of dispatch, constitute information about health in the sense referred to in
Article 4.15 of the Data Protection Regulation. The data are therefore so-called sensitive
personal data covered by the protection according to Article 9.1 of the regulation.
The data is also protected within the health and medical care by confidentiality according to
25 ch. Section 1 of the Publicity and Confidentiality Act (2009:400). Because two of the concerned
the care facilities only provide care for people who are 17 years of age or younger
furthermore, it is established that in some cases the information has also referred to children, who are considered special
protected according to the data protection regulation. It is also a comprehensive one
treatment that includes approximately 2,500 mailings from several different care facilities.
Against this background, IMY assesses that it is a treatment that involved a
high risk and that strong protection was therefore required.
The board has not taken sufficient security measures
IMY states that the mailings with invitations to visits at Children's and Youth Medicine's
should the reception Mora, the Children and Young People's Call Reception Falun and
The sleep laboratory in Avesta took place in such a way that the sensitive personal data
have been fully visible to everyone who came into contact with the letters. The data has been
available to, for example, those who work with handling mail, those who share
household with the recipient and the person who received a letter that was delivered to the wrong address.
In order to achieve an appropriate level of security, the dispatches should, according to IMY's assessment, have
took place in such a way that the sensitive personal data was not visible. The committee
has thus not been able to ensure the level of security required according to Article 32.1
in the data protection regulation.
It can be stated that the board's opinion is indeed that it should not be apparent from
the envelope which reception a summons to a care visit refers to and that the board therefore
procured a service for the purpose of concealing sending reception. After IMY started supervision
however, the committee carried out an investigation which showed that the service in question only
included invitations on a maximum of five A4 sheets and that other invitations were sent in envelopes
which showed which clinic the visit was intended for. IMY states that it has arrived at
the committee as personal data controller to ensure that before the processing in question, it
the current add-on service fulfilled the need to keep the data hidden from others yet
the recipient of the letter.
7 See recital 38 of the data protection regulation. Privacy Protection Agency Diary number: IMY-2022-695 7(8)
Date: 2023-01-17
Against this background, IMY assesses that the committee has not taken sufficient measures
to ensure a level of security appropriate to the risk involved
current treatment. The board has therefore processed personal data in violation of
article 32.1 of the data protection regulation.
Choice of intervention
Applicable regulations
In the event of violations of the data protection regulation, IMY has a number of corrective powers
called to be available according to Article 58.2 a–j of the data protection regulation, including reprimand,
injunction and penalty fees.
Article 83.2 of the data protection regulation states that IMY must impose administrative
penalty fees in addition to or instead of the other measures referred to in Article 58.2
depending on the circumstances of the individual case. Member States may determine
rules for whether and to what extent administrative penalty charges can be imposed
public authorities. This is apparent from article 83.7 of the data protection regulation. According to
6 ch. Section 2 of the Data Protection Act allows IMY to collect penalty fees from authorities at
violations referred to in article 83.4, 83.5 and 83.6 of the data protection regulation and that
Article 83.1, 83.2 and 83.3 of the regulation shall then be applied.
In article 83.2 of the data protection regulation, the factors that must be taken into account when making a decision are stated
if administrative penalty fees are to be imposed and when determining the fee
size. If it is a question of a minor violation, IMY receives according to reason 148 more
data protection regulation to issue a reprimand instead of imposing a penalty fee.
The factors specified in Article 83.2 of the Data Protection Regulation must also be taken into account
the determination of the amount of the penalty fee. Each supervisory authority must ensure
that the imposition of administrative penalty charges is effective in each individual case,
proportionate and dissuasive. This is apparent from Article 83.1 of the Data Protection Ordinance.
A penalty fee must be imposed
IMY has concluded that the board has processed personal data in violation of Article
32.1 of the data protection regulation. IMY finds in an overall assessment of the
circumstances described under the heading Amount of the penalty fee that there is
reason to impose a penalty fee on the board and that it is therefore not a question of one
such a minor violation that there is reason to issue a reprimand instead.
The size of the penalty fee
For violations of, among other things, Article 32 of the Data Protection Ordinance may
the sanction fee for public authorities amounts to a maximum of SEK 5,000,000. The
appears from ch. 6. Section 2 of the Data Protection Act and Article 83.4 of the Data Protection Ordinance.
In the assessment of the seriousness of the violation, IMY considers in accordance with Article 83.2 g
in the data protection regulation that the processing has included sensitive personal data about
health and information about children, which are particularly worthy of protection according to data protection
the regulation.
Furthermore, IMY takes into account what has emerged about the nature and severity of the violation
and duration based on what is stated in article 83.2 a of the data protection regulation. Thereby
it can be established that the violation has been going on for a longer period of just over a year, from and
with May 6, 2021, when the patient who filed the underlying complaint
for the supervisory authority received its summons, up to and including July 6, 2022, when the board took Integritetsskyddsmyndigheten Diary number: IMY-2022-695 8(8)
Date: 2023-01-17
measures to hide the sender's receipt on the envelope when mailing. Against background
of the fact that the board stated that it is about 2,500 summonses per year can also
it is established that the violation affects a large number of registered users. Furthermore, it means
the fact that the violation has occurred in healthcare - i.e. a business there
the registered patient is in a dependent and vulnerable position i
relationship with the person in charge of personal data - that there is reason to look more seriously
the violation. However, IMY assesses that there are also factors that speak to the contrary
direction in the assessment of the seriousness of the infringement. First, it moves
if a physical handling and not a digital one which would have involved a risk of greater and
faster dissemination of the data. A distribution by regular mail is more
limited and controlled than a transfer via the open network. Furthermore, have
emerged that the committee identified the risk of exposing those in question
the personal data during mailings and therefore took certain measures in order to comply
the requirements and reduce the risks of the treatment.
IMY decides based on an overall assessment of the circumstances of the case that
The health care board in Region Dalarna must pay an administrative fee
penalty fee of SEK 200,000.
This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
by the lawyer Maja Welander. In the final processing of the case has also
head of law David Törngren, acting head of unit Linn Sandmark and IT-
and information security specialist Magnus Bergström participated.
Lena Lindgren Schelin, 2023-01-17 (This is an electronic signature)
Copy to
The board's data protection officer
The appellant
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Protection Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the date of the decision
was announced. If the appeal has been received in time, Privacy Protection sends
the authority forwards it to the Administrative Court in Stockholm for review.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
