NAIH (Hungary) - NAIH-2894-3/2021

From GDPRhub
NAIH (Hungary) - NAIH-2894-3/2021
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 32(1)(a) GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 33(1) GDPR
Article 34(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 14.03.2021
Published:
Fine: 10000000 HUF
Parties: Budapest Főváros Kormányhivatala XI. kerületi Hivatala
National Case Number/Name: NAIH-2894-3/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH webpage (in HU)
Initial Contributor: n/a

The Hungarian DPA (NAIH) held that transferring health data without password protection to general practitioners not authorised to access such data constitutes a personal data breach resulting in a high risk to the rights and freedoms of natural persons. The emergency situation caused by the Covid-19 pandemic does not exempt public authorities from taking appropriate data security measures and from lawfully processing personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

A public interest disclosure was made to the Hungarian DPA (NAIH) detailing a personal data breach. In the given case, the XI. District Office of Budapest Government Office (In Hungarian: "Budapest Főváros Kormányhivatala XI. kerületi Hivatala"; hereinafter referred to as "District Office") transferred by email (in an Excel sheet attached to the email) the data of 1153 patients to general practitioners (physician) in the XI, XII and XXII Districts of Budapest related to the COVID testing of patients. The Excel sheet was not protected by password or by other means. A person (who was not even a general practioner originally addressed by the District Office) forwarded the above referred Excel sheet and the District Office's related email to the NAIH in the form of a public interest disclosure.

The NAIH examined whether the transferring of patient data by the District Office constituted a personal data breach, the related risks to the rights and freedoms of natural persons, as well as the breach management of the District Office.

It is worth noting that after the receipt of the NAIH's inquiry concerning the personal data breach, the District Office requested the opinion of the data protection officer of the Budapest Government Office. The data protection officer was of the opinion that the above transfer of patient data by email by the District Office constituted a personal data breach, but that the breach did not result in a risk to the rights and freedoms of natural persons since it was only received by general practitioners who are subject to professional secrecy.

Holding[edit | edit source]

The NAIH decided that the transfer of patient data by email by the District Office constituted a data breach, since the personal data (involving sensitive data) was forwarded to general practitioners who did not have the right to access such data. This also means that the District Office should have only sent the data of patients to the competent general practitioners in the given district with password protection (by providing the password through a different channel) or should have chosen another way to transfer the data in a safe manner (e.g. through the Hungarian Electronic Health Service Space).

With regard to the personal data breach, the NAIH also highlighted that it resulted in a high risk to the rights and freedoms of natural persons. A wide scope of sensitive data became accessible to unauthorized third parties, raising the chance of additional unauthorized persons having access to the related data and processing it unlawfully, (e.g. the person making the public interest disclosure to the NAIH or any person possibly sending direct marketing materials related to health services).

NAIH further highlighted that the emergency situation caused by the Covid-19 outbreak did not exempt the District Office from complying with the appropriate data security standards. Bearing in mind that the District Office performs public tasks, processes health data as its core activity, it should therefore be expected to process the related data carefully and in a way that is appropriate from a data protection point of view and to assess the risks associated with data processing.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.


BFKH XI. data protection incident and data security deficiencies affecting the health data at the District Office of the BFKH XI. data protection incident and data security deficiencies affecting health data at the District Office
File size: 318.57 kBDate: 2021. March 24. NAIH-2894-3 / 2021