Persónuvernd (Iceland) - 202112772: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 48: Line 48:
}}
}}


The Icelandic DPA issued a reprimand to a hospital appointed to carry out COVID-19 tests for having failed to conduct a Data Protection Impact Assessment in violation of [[Article 35 GDPR#1|Article 35(1) GDPR]] when relocating part of their staff to another medical center.
The Icelandic DPA issued a reprimand against a hospital appointed to carry out COVID-19 tests for failing to conduct a Data Protection Impact Assessment in violation of [[Article 35 GDPR#1|Article 35(1) GDPR]] when relocating part of their staff to another medical centre.


== English Summary ==
== English Summary ==
Line 59: Line 59:
The Hospital disregarded this request, and related part of its staff to IG’s facilities, as planned. The DPA reiterated their request in September 2020. The Hospital then responded to the DPA, apologising for the delay, and explaining that they had began using IG’s facilities expeditiously in order to respond to the increased demand in sampling due to the pandemic.  
The Hospital disregarded this request, and related part of its staff to IG’s facilities, as planned. The DPA reiterated their request in September 2020. The Hospital then responded to the DPA, apologising for the delay, and explaining that they had began using IG’s facilities expeditiously in order to respond to the increased demand in sampling due to the pandemic.  


The Hospital also stated that they had not conducted a new DPIA because they considered that the previous DPIA applied to the processing that would now temporarily take place at IG’s facilities. However, prior to the transfer of some staff members to IG’s facilities, IG only had access to sample numbers sent by the Hospital. Once part of the Hospital's staff started working in IG’s facilities and using their equipment, the IG’s Virlab system registered the names of individuals who had tested positive in border screening, as well as identification codes from samples taken at health centers which could be traced back to the individuals concerned. IG’s staff did not have access to this personal data as registered in the Virlab system, except for three employees involved in its design, programming and making necessary updates.
The Hospital also stated that they had not conducted a new DPIA because they considered that the previous DPIA applied to the processing that would now temporarily take place at IG’s facilities. However, prior to the transfer of some staff members to IG’s facilities, IG only had access to sample numbers sent by the Hospital. Once part of the Hospital's staff started working in IG’s facilities and using their equipment, the IG’s Virlab system registered the names of individuals who had tested positive in border screening, as well as identification codes from samples taken at health centres which could be traced back to the individuals concerned. IG’s staff did not have access to this personal data as registered in the Virlab system, except for three employees involved in its design, programming and making necessary updates.


In November 2020, the DPA began an investigation, auditing the Hospital and IG to determine whether the processing operations conducted by the Hospital's staff using IG’s facilities and Virlab system was compliant with the GDPR.
In November 2020, the DPA began an investigation, auditing the Hospital and IG in order to determine whether the new processing operations conducted by the Hospital's staff at IG’s facilities was compliant with the GDPR.
=== Holding ===
=== Holding ===
The Icelandic DPA found that the Director and the Hospital failed to comply with [[Article 35 GDPR#1|Article 35(1) GDPR]] by not conducting a new DPIA.  The DPA held that a new DPIA should have been carried out due to fact that the Hospital would now be processing personal data using IG’s facilities and Virlab system, which gave some IG employees access to that data. It explained that the initial DPIA could not be applied to these new circumstances. Previously, IG’s staff only had access to sample numbers which did not include personal data or data that could be traced back to an individual, so the circumstances were not comparable.
The Icelandic DPA found that the Director and the Hospital failed to comply with [[Article 35 GDPR#1|Article 35(1) GDPR]] by not conducting a new DPIA.  The DPA held in particular that a new DPIA should have been carried out due to fact that the Hospital would now be processing personal data using IG’s facilities and Virlab system, which gave some IG employees access to that additional data. It explained that the initial DPIA could not be applied to these new circumstances. Previously, IG’s staff only had access to sample numbers which did not include personal data or data that could be traced back to an individual, so the circumstances were not comparable.


The DPA also held that despite not conducting this DPIA, there was no violation of [[Article 24 GDPR#1|Article 24(1) GDPR]], [[Article 24 GDPR#2|Article 24(2) GDPR]], [[Article 25 GDPR#1|Article 25(1) GDPR]], [[Article 25 GDPR#2|Article 25(2) GDPR]], [[Article 32 GDPR#1|Article 32(1) GDPR]] and [[Article 32 GDPR#2|Article 32(2) GDPR]] related to the Director’s responsibility to implement appropriate technical and organisational measures to ensure the security of the processing. The DPA found indeed that the processing of this data was not deficient due to the fact that only 3 IG staff members had access to the personal data stored in Virlab, and that this access was necessary for the programming and maintenance of the software.
The DPA also held that, despite the absence of a new DPIA, there had been no violation of [[Article 24 GDPR#1|Article 24(1) and (2) GDPR]] (responsibility of the controller), [[Article 25 GDPR#1|Article 25 GDPR]] (privacy by design and by default) or of [[Article 32 GDPR#1|Article 32 GDPR]] (obligation to implement appropriate technical and organisational measures to ensure the security of the processing). The DPA found indeed that the processing of the personal data at IG's facilities did not lead to a security breach, taking into account the fact that only 3 IG staff members had access to the personal data stored in Virlab, and that this access was necessary for the programming and maintenance of the software.


However, the DPA did reprimand the Hospital for not complying with answering their questions related to the security of personal data before the transfer of their staff to IG’s facilities took place. The DPA reminded the Hospital that the GDPR must be complied with, despite the COVID-19 pandemic, according to the European Data Protection Board’s “''Statement on the processing of personal data in the context of the COVID-19 outbrea''k” issued on March 19, 2020.
However, the DPA did reprimand the Hospital for not complying with answering their questions related to the security of personal data prior to the transfer of their staff to IG’s facilities. The DPA reminded the Hospital that the GDPR must be complied with even in the context of the COVID-19 pandemic, as already stressed by the European Data Protection Board in its “''Statement on the processing of personal data in the context of the COVID-19 outbrea''k” issued on March 19, 2020.


The Icelandic DPA however stated that it was aware of the pressure that the Icelandic health authorities have been under since the outbreak of the pandemic, and in view of these special circumstances, it would not take further action in this case.
The Icelandic DPA however stated that it was aware of the pressure that the Icelandic health authorities have been under since the outbreak of the pandemic and, in view of these special circumstances, it would not take further action in this case.
== Comment ==
== Comment ==
''Share your comments here!''
This case is part of a bigger case complex - see cases [[Persónuvernd (Iceland) - 2020061951|2020061951]] and [[Persónuvernd (Iceland) - 2020061954|2020061954]].


== Further Resources ==
== Further Resources ==

Latest revision as of 09:55, 16 December 2021

Persónuvernd (Iceland) - 202112772
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 35(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 23.11.2021
Published: 29.11.2021
Fine: None
Parties: Landspítali – The National University Hospital of Iceland
Icelandic Genealogy
National Case Number/Name: 202112772
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Icelandic DPA (in IS) (in IS)
Initial Contributor: Cesar Manso-Sayao

The Icelandic DPA issued a reprimand against a hospital appointed to carry out COVID-19 tests for failing to conduct a Data Protection Impact Assessment in violation of Article 35(1) GDPR when relocating part of their staff to another medical centre.

English Summary

Facts

Since 2015, the Icelandic health authorities had appointed Landspítali Hospital (the Hospital) to conduct border and domestic screening to monitor the spread of infectious diseases. It was agreed that the Hospital was allowed to subcontract services in order to carry out this screening. In June 2020, the Hospital sought the services of a company named Icelandic Genealogy (IG) to conduct COVID-19 screening tests. A Data Protection Impact Assessment (DPIA) was carried out by the Icelandic Medical Director of Health (the Director) in consultation with the Icelandic DPA. The DPA observed that there was no indication that this processing would violate the GDPR. As a result, the Hospital outsourced part of the testing and screening activities to IG.

However, in August 2020, the Hospital publicly announced that they would temporarily relocate part of their own staff to IG’s facilities to use some of their equipment and software (Virlab) in order to increase their screening capacity. Following this announcement, the Icelandic DPA asked the Hospital for specific information regarding security measures related to the processing of personal data, and whether a new DPIA had been carried out by the Hospital before relocating part of their staff to IG’s facilities.

The Hospital disregarded this request, and related part of its staff to IG’s facilities, as planned. The DPA reiterated their request in September 2020. The Hospital then responded to the DPA, apologising for the delay, and explaining that they had began using IG’s facilities expeditiously in order to respond to the increased demand in sampling due to the pandemic.

The Hospital also stated that they had not conducted a new DPIA because they considered that the previous DPIA applied to the processing that would now temporarily take place at IG’s facilities. However, prior to the transfer of some staff members to IG’s facilities, IG only had access to sample numbers sent by the Hospital. Once part of the Hospital's staff started working in IG’s facilities and using their equipment, the IG’s Virlab system registered the names of individuals who had tested positive in border screening, as well as identification codes from samples taken at health centres which could be traced back to the individuals concerned. IG’s staff did not have access to this personal data as registered in the Virlab system, except for three employees involved in its design, programming and making necessary updates.

In November 2020, the DPA began an investigation, auditing the Hospital and IG in order to determine whether the new processing operations conducted by the Hospital's staff at IG’s facilities was compliant with the GDPR.

Holding

The Icelandic DPA found that the Director and the Hospital failed to comply with Article 35(1) GDPR by not conducting a new DPIA. The DPA held in particular that a new DPIA should have been carried out due to fact that the Hospital would now be processing personal data using IG’s facilities and Virlab system, which gave some IG employees access to that additional data. It explained that the initial DPIA could not be applied to these new circumstances. Previously, IG’s staff only had access to sample numbers which did not include personal data or data that could be traced back to an individual, so the circumstances were not comparable.

The DPA also held that, despite the absence of a new DPIA, there had been no violation of Article 24(1) and (2) GDPR (responsibility of the controller), Article 25 GDPR (privacy by design and by default) or of Article 32 GDPR (obligation to implement appropriate technical and organisational measures to ensure the security of the processing). The DPA found indeed that the processing of the personal data at IG's facilities did not lead to a security breach, taking into account the fact that only 3 IG staff members had access to the personal data stored in Virlab, and that this access was necessary for the programming and maintenance of the software.

However, the DPA did reprimand the Hospital for not complying with answering their questions related to the security of personal data prior to the transfer of their staff to IG’s facilities. The DPA reminded the Hospital that the GDPR must be complied with even in the context of the COVID-19 pandemic, as already stressed by the European Data Protection Board in its “Statement on the processing of personal data in the context of the COVID-19 outbreak” issued on March 19, 2020.

The Icelandic DPA however stated that it was aware of the pressure that the Icelandic health authorities have been under since the outbreak of the pandemic and, in view of these special circumstances, it would not take further action in this case.

Comment

This case is part of a bigger case complex - see cases 2020061951 and 2020061954.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.


                    Individuals FAQ complete FAQ electronic monitoring general privacy right to be forgotten right to information about their genotype What is processing? Children and adolescents Arny privacy legislation 2018Almennt the new legislation other interesting stuff educational booklet: Privacy children's booklet: Private youth booklet: public companies and administration asked and answered all the questions and answers electronic monitoring general privacy access right controllers, processors and vinnslusamningarÁbyrgðarskyldaVinnsluskrárNý privacy legislation 2018FræðsluefniLög and reglurLög privacy rules and regulations other sacrificed rules and guidelines operating international and European law Solutions Solutions Reviews Licensing Various letters Privacy function Privacy News Mega political process personal data my campaign? How to process personal data in election campaigns? Staff and management for media requests for introduction Appendices urðirPolitics and valuesAnnual reports201620152014201320122011201020092008200720062005200420032002200120001999Other materialPrivacy policyLegal disclaimerAccessibilityService deskTwitterEnglishDecisions in EnglishContactTopicsTopologyTop 21
             
                
    
    Enter keywords
    
    
      
    
    
  
  
                    SolutionsReviewsLicensingMiscellaneous letters
             
                
                
                                
            Search for solutions
            
        
                
            
                Year from:
                
            
            
                Year to:
                
            
        
                
            Search
        
    
    



    


    


    
      The security of personal information in the part of germs and
the Department of Virology at Landspítali, which was located at the Icelandic office
genetic analysis
      Case no. 202112772
    

    

     
      
      
        11/29/2021
        
      
      
      
     

    

  

  

  
      The Data Protection Authority has completed its audit of the security of personal information at the part of the Department of Pathology and Virology at Landspítali that was located at the Icelandic Genetics office from August 2020 to February 2021. The conclusion of the Data Protection Authority is that there is no evidence been deficient. On the other hand, it is the conclusion of the Data Protection Authority that the assessment of the impact on privacy protection did not meet the requirements of the Data Protection Act.
The Data Protection Authority's audit was initiated on the occasion of the comments of the chief physician at Landspítali at the Civil Protection's information meeting on 13 August 2020 that it was estimated that part of Landspítali's germ and virology department's operations would be relocated to the premises of the genetic research company Íslensk erfðagreiningar. This would be done to increase the screening efficiency of the virus that causes COVID-19 disease.
In Landspítali's answers it says e.g. that before screening for COVID-19 at the Icelandic border on 15 June 2020, the Office of the Medical Director of Health carried out an assessment of the impact of the proposed processing measures on the protection of personal data. That assessment was used as a basis when part of Landspítali's pathology and virology department was located at the Icelandic Genetics office from August 2020 to February 2021.
The decision of the Data Protection Authority concludes that the processing covered by the above assessment is not comparable to the processing of personal data in question in this case. In the assessment, special consideration was given to the nature of the access of the employees of Íslensk erfðagreining to the personal information that was processed. During the border screening, which began in the summer of 2020, the company's employees, according to the original arrangement, only had access to sample numbers when analyzing samples. When part of Landspítali's pathology and virology department was located at the company's office, its employees had access to the names of those individuals who had been diagnosed positively in border screening in its Virlab system. There were also samples taken at health centers, ie. a so-called identification sample, with code that could be traced back to an individual in the same system. It is therefore the conclusion of the Data Protection Authority that the assessment that was used as a basis did not meet the requirements of the Data Protection Act and that a new assessment of the impact on data protection was carried out before part of Landspítali's Department of Microbiology and Virology was transferred to Icelandic Genetics.
It is also the conclusion of the Data Protection Authority that there was no evidence that the security of the personal information processed at the Icelandic Genetics office did not meet the requirements of the Data Protection Act. It was considered that there was access control to the Virlab system company, but only three employees had access to the system who were involved in a needs analysis for its design, programming and making the necessary updates.

    

    
    Decision
On 23 November 2021, the Data Protection Authority made the following decision in case no. 2020112772:
I.
Procedure
1.
Beginning of speech
On 13 August 2020, it was stated in a case […], Chief Physician at Landspítali, at a public meeting of the Civil Defense that it was estimated that part of the activities of Landspítali's pathology and virology department would be moved to the premises of the genetic research company Íslensk erfðagreiningar in order to increase screening for COVID. 19 disease. The transfer was being prepared and the software was being adapted.
On this occasion, the Data Protection Authority sent a letter to Landspítali, dated August 14, 2020, reaffirming legal provisions on the responsibility of the responsible party, built-in and default privacy, and security in the processing of personal information. The letter also requested specific explanations, as outlined in section I.2 below in connection with the hospital's responses. It was also requested that answers be received before the planned activities of the hospital's pathology and virology department begin at the Icelandic Genetics office. Finally, it was stated that if the Data Protection Authority's consultations or consultations were requested with the planned security measures for the processing of personal information by the hospital inside the Icelandic Genetics office, this would be readily complied with.
The Data Protection Authority's message was repeated by e-mail on 4 September 2020, as the institution had not received the requested answers from Landspítali by then, but it had received that information from the hospital on 28 August 2020. that the above transfer had already taken place. By letter dated On 7 September this year, the Data Protection Authority reiterated its message for the second time.
2.
Answers on behalf of Landspítali
In Landspítali's reply letter, dated 11 September 2020, we apologize for not receiving any answers earlier, but the transfer has been decided with speed to respond to the situation that has arisen during sampling.
The letter contains e.g. traced that according to Art. Epidemiology Act no. 19/1997, the Epidemiologist is responsible for planning and coordinating infection control as well as maintaining an infectious disease register to monitor the spread of infectious diseases. It is also stated that Landspítalinn conducts border and domestic screening on behalf of Epidemiologist on the basis of a production contract, dated 21 December 2015, which states that Landspítali is authorized to seek sub-processors.
When it became clear that Landspítali's Department of Pathology and Virology would be entirely responsible for screening for COVID-19 disease, the department did not have the facilities needed to process the number of samples taken daily. Therefore, the decision has been made to seek Icelandic Genetics. This is a temporary measure, which means that the Department of Microbiology and Virology has facilities in the company's premises and uses its equipment while the department's facilities are being improved.
Regarding individual questions from the Data Protection Authority, Landspítali's answers are as follows, but the questions appear before answers on individual issues:
"An impact assessment on privacy has been carried out in accordance with Article 35. Privacy Regulation (EU) 2016/679, cf. Article 29 Act no. 90/2018? If so, what was its outcome? "
Landspítali stated that before the border screening had taken place in the summer of 2020, which Íslensk erfðagreining had carried out, an assessment of the impact on privacy had been carried out by the Office of the Medical Director of Health. It had gone through the equipment and systems that would be used in the screening. The processing that would take place temporarily in the premises of Íslensk erfðagreiningar would be comparable to the one covered by that assessment, and therefore it would not have been considered necessary to carry out a new assessment of the impact on personal data protection.
A production agreement, dated March 12, 2020, between Landspítali and Íslensk erfðagreining due to the analysis of samples and the processing of personal information that followed.
It was also stated that the change that was now taking place temporarily was that instead of the work of sampling and analysis of samples being taken care of entirely by the staff of Icelandic Genetics, it was now the staff of Landspítali who would take care of that work. It could therefore be considered that Landspítali, as a processor for the epidemiologist, was slower than usual to ensure full privacy protection in all treatment and therefore the risk associated with this measure was less than it had been before.
"Where will the biological samples taken during the screening of Landspítali's Department of Pathology and Virology at the office of Icelandic Genetics be stored and who is responsible for their safety?"
Landspítalinn stated that biological samples would be stored in refrigerators located inside the laboratory of Icelandic Genetics, where the Department of Microbiology and Virology had facilities and recorded samples.
Biological samples taken at borders were identified by a code that could be traced back to an individual in a system run by the Office of the Medical Director of Health. If any positives were detected, information on the name and artificial ID number would be entered in the Virlab system of Icelandic Genetics, but that information would only be accessible to three employees of the company who would need access due to their work. The information was also disseminated to the epidemiologist, the outpatient department of COVID-19 at Landspítali and the tracking team of the civil defense so that the necessary measures could be taken.
Samples taken at the Capital Area Health Service, or other health centers, ie. those samples that were not part of the border screening or so-called identification samples were also identified by a code, but that code could be traced back to an individual in the Virlab system. This would be in line with the procedure normally followed when the Department of Microbiology and Virology analyzed samples for healthcare. Such an arrangement expedited the notification to the person concerned of the result of the sampling, but while waiting for the result, the person in question was obliged to be in isolation. It would therefore be burdensome for the individuals who came for the sampling due to symptoms to wait for a result.
The Virlab system was access-controlled and only ID numbers and results were recorded. Other information, such as symptoms and background of patients, would not be included. All negative samples would be removed after the final result was obtained. The staff of the Department of Microbiology and Virology were responsible for ensuring that the handling and finishing of samples was correct. According to the current production agreement, Icelandic Genetics, as Landspítali's sub-processor, should ensure adequate security in consultation with the hospital and the epidemiologist.
3. "How will the activities of Landspítali's Department of Pathology and Virology, which is to take place at the Icelandic Genetics Office, be kept separate from the activities of the company?"
Landspítalinn stated that the hospital had its own employees at the Icelandic Genetics office who worked on the analysis of the samples. The company's employees did not come to the analysis in any other way than to supervise the equipment and tools that the employees of the Department of Microbiology and Virology used and provided assistance if needed. It was important that the employee of Íslensk erfðagreining supervised to ensure that the devices worked properly. Other employees of the company had access to laboratories and refrigerators but were not allowed to process the samples.
4. "How will access management be handled?"
Landspítalinn stated that those employees at Íslenskir erfðagreining who would need access to laboratories due to their work and the Virlab system had that access. The same applies to employees of the Department of Microbiology and Virology. Others did not have access.
5. "What instructions have employees received or will receive regarding the security of personal information?"
About this, Landspítalinn stated that all those who were qualified to work at the hospital received special novice training as they were educated about the duty of confidentiality that rested on them by law. There were also procedures in place regarding security issues that were accessible and presented to the department's employees.
3.
Decision on audit - further communication between the parties
By letter dated On 17 November 2020, the Data Protection Authority announced to the Office of the Medical Director of Health, Landspítali and Íslenskir erfðagreining that it had decided to carry out an audit of the processing of personal information at the part of Landspítali's bacteriology and virology department located at Íslensk erfðagreining's office. to confirm whether the processing arrangements were as stated in Landspítali's answers and how the security of the information was ensured. In the letter, the Data Protection Authority requested to be sent from Landspítali the data that had been prepared on the processing of personal information that would take place at Íslensk erfðagreining's office, e.g. á m. procedures that may have been established, documentation of information security and processing file according to Art. Act no. 90/2018.
On December 7, 2020, the Data Protection Authority received the requested data from Landspítali. The attached reply letter from the hospital states that the data was prepared by the hospital and Icelandic Genetics.
In an e-mail from Icelandic Genetics to the Data Protection Authority, dated 11 December 2020, states that the company considers that the substance of the agency's message, dated November 17 this year, directly to Landspítali, although various data on the processing that the company has created are relevant. It is also stated that Íslensk erfðagreining has a reply letter from Landspítali, dated December 7, i.e., and make the answer his own.
By e-mail, dated On 24 February 2021, the Data Protection Authority received information from Landspítali that the part of the hospital's pathology and virology department that had been located at the Icelandic Genetics office had been moved to the hospital's premises at 22 p.m.
By letter dated On March 29, 2021, the Data Protection Authority requested that Landspítalinn inform whether its data protection officer had been involved in transferring the hospital's bacteriology and virology department's operations to the Icelandic Genetics office. From Landspítali's reply letter, dated On 7 April this year, it can be assumed that the Data Protection Authority's inquiry was understood to involve the involvement of the hospital's data protection officer in the transfer of the Department of Microbiology and Virology from Icelandic Genetics to the hospital. By e-mail, dated 20 p.m., the Data Protection Authority therefore reiterated its above-mentioned inquiry. Landspítalinn replied by e-mail, dated 5 May 2021, stating that the transfer of the Department of Microbiology and Virology to Icelandic Genetics had not been reported to the hospital's privacy officer before his arrival.
4.
Further communication
With a letter from the Data Protection Authority to Landspítali, dated On 22 June 2021, the institution requested further explanations in connection with the hospital's responses outlined in section I.2 above. In Landspítali's reply letter to the Data Protection Authority, dated On September 1, the hospital's answers to the following questions were stated:
"What risks were present when the analysis was carried out entirely by the staff of Icelandic Genetics?"
Landspítalinn stated that the hospital had not carried out a special risk assessment when the hospital's pathology and virology department was transferred to Icelandic Genetics. The hospital referred to the fact that an impact assessment on privacy had been carried out by the Office of the Medical Director of Health, in the run-up to border screening in the summer of 2020. 2. "What security measures were taken to reduce those risks?"
Regarding this, Landspítalinn referred to its answer to question no. 1.
3. "What were the remaining risks?"
Regarding this, Landspítalinn referred to its answer to question no. 1.
4. "What was the purpose of the employees of Íslensk erfðagreiningar having access to the company's Virlab system when it came to samples taken at borders, ie. what was their access? "
Landspítalinn stated that three employees of Íslensk erfðagreining, who play a responsible role and manage human resources in the company's laboratory, had had access to the Virlab system. They would have been responsible for ensuring that the processing of the samples was in accordance with legal and quality requirements made for the company's laboratory, e.g. The ISO 9001 quality standard. The Virlab system had been designed by Icelandic Genetics and had been customized for this project. The three employees in question had been involved in a needs analysis for the design of the Virlab system, its programming and the preparation of necessary updates. The results of the samples had been sent to the Office of the Medical Director of Health from the system after the sample numbers had been linked to the names and ID numbers of patients.
5. "How many employees of Íslensk erfðagreining had access to the company's Virlab system when it came to so-called symptom samples and for what purpose, ie. what was their access? "
Landspítalinn stated that the three employees mentioned in the hospital's answer to question no. 4 would have had access to the Virlab system and for the same purpose as specified therein. The processing process in the laboratory of Icelandic Genetics would be the same whether it was a sample taken at a border, a symptom sample or a quarantine sample.
6. "Why was it considered necessary for the employees of Íslensk erfðagreiningar to have access to a system that stored the personal identification of registered individuals, but their access was limited to sample numbers when the company performed analysis of samples taken at the Icelandic border from 15 June 2020?"
About this, Landspítalinn stated that all samples that had been analyzed by Icelandic Genetics had been scanned into the Virlab system, whether they had been samples taken at borders, symptom samples or quarantine samples.
7. "How many employees of Icelandic Genetics had access to equipment and tools used by employees of the Department of Microbiology and Virology in analyzing the samples?"
Landspítalinn stated that about ten of the company's employees had had access to equipment and tools, but only the three employees of the company mentioned in answers no. 4 and 5 would have had access to the Virlab system.
II.
Assumptions and conclusion
1.
Case Delimitation - Scope
The following discussion of the Data Protection Authority is based solely on whether the security of COVID-19 patients' personal data was ensured when part of Landspítali's pathology and virology department was located at the Icelandic Genetics office, and not whether sufficient authorizations were used to process the personal data in question.
In this respect, this case falls within the scope of Act no. 90/2018, on personal data protection and the processing of personal data and Regulation (EU) 2016/679, as defined in the first paragraph. Article 4 of the Act, cf. Points 2 and 4 Article 3 of the Act and points 1 and 2. Article 4 of the Regulation. According to the first paragraph. Article 39 of the Act, the matter also falls within the competence of the Data Protection Authority.
The discussion is limited on the one hand to whether the assessment of the impact on personal protection that was the basis for the transfer in question was satisfactory and on the other hand to whether the security of the data complied with the requirements of Act no. 90/2018.
2. Responsible party - Processing party - Processing agreements
The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation.
The guarantor has an obligation to ensure that processing takes place in accordance with Act no. 90/2018 and Regulation (EU) 2016/679. Part of ensuring this is that the processor conducts processing in accordance with the guarantor's instructions. Those instructions are required, according to para. Article 28 of the Regulation, to be recorded in a contract which shall specify the subject and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of registered persons and the obligations and rights of the responsible party.
The Chief Epidemiologist is required according to point 1. Article 5 Epidemiology Act no. 19/1997 to keep a register of infectious diseases. Its purpose is to obtain accurate information on the diagnosis of infectious diseases from laboratories, hospitals and doctors. Its purpose is also to support disease control work and epidemiological research, cf. Article 3 Epidemiology. According to the first paragraph. Article 4 of the Epidemiology Act, the Office of the Medical Director of Health is responsible for the implementation of epidemiology and according to para. the same articles, the office shall be staffed by an epidemiologist who is responsible for infection control. The Chief Epidemiologist thus works at the Office of the Medical Director of Health and is responsible for all the information that is processed in connection with work according to the Epidemiological Control Act. As in this case, the epidemiologist is therefore considered to be responsible for the processing in question.
The responsible party may entrust another party to work with personal information on its behalf. More specifically, it is a processor according to point 7. Article 3 Act no. 90/2018 and point 8. Article 4 of Regulation (EU) 2016/679, i.e. a party that processes personal data on behalf of the responsible party, but with such a processing party a special agreement shall be made in accordance with the third paragraph. Article 25 of the Act and para. Article 28 of the Regulation. It is clear that the Chief Epidemiologist has agreed with Landspítali to process personal information for which he is responsible and the hospital is considered to be a processing party as far as processing is concerned, cf. parties' processing agreement, dated December 21, 2015.
According to para. Article 25 Act no. 90/2018, Coll. Paragraph 2 Article 28 of the Regulation, the processor may employ another processor, often referred to as a sub-processor, provided that he has a specific or general written authorization from the responsible party. It is known that an agreement was made between Landspítali and Íslensk erfðagreiningar, dated March 12, 2020, where Landspítalinn entrusts Icelandic Genetics with processing that results from Landspítali's obligations according to the processing agreement between the Chief Epidemiologist and Landspítali. More specifically, it stipulates that Icelandic Genetics' processing of personal information for Landspítali involves the collection and screening for the COVID-19 virus in biological samples that the company collects itself or receives from the hospital. Íslensk erfðagreining is therefore a sub-processor in the sense of the aforementioned article of law, as there was a written authorization in the processing agreement between the epidemiologist and Landspítali to the effect that Landspítalinn could use such a party in the implementation of the processing.
The parties' processing agreements will not be examined further in this context, but it should be noted that they are discussed in the decision of the Data Protection Authority, dated. 23 November 2021, on screening in Iceland for the SARS-Cov-2 virus causing the COVID-19 disease (2020061954), as well as in the Agency's decision, dated s.d., on obtaining the consent of COVID-19 patients at Landspítali for the use of their blood samples for the benefit of the scientific study Epidemiology of the SARS-CoV-2 virus and the effect of genetics and underlying diseases on the COVID-19 disease it causes (2020061951).
3.
Principles for the processing of personal information
All processing of personal data must comply with the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 1 Article 5 Regulation (EU) 2016/679. In point 6. states that personal data shall be processed in such a way as to ensure their appropriate security.
The above principles are further elaborated in other provisions in the Act, which further prescribe their content. In this case, a provision related to the principle of the security of personal information in point 6 is challenged. Paragraph 1 Article 8 Act no. 90/2018, i.e. provisions on the assessment of the effects on privacy and the security of personal data. These provisions will be discussed in Chapters 4 and 5 below.
4.
Assessment of the impact on privacy
In the first paragraph. Article 29 Act no. 90/2018, Coll. Paragraph 1 Article 35 Regulation (EU) 2016/679, stipulates that the responsible party shall have an assessment of the impact of the proposed processing measures on the protection of personal data before the processing takes place, if it is likely that the processing could entail a high risk to the rights and freedoms of individuals. , taking into account the nature, scope, context and purpose of the processing. If such an assessment indicates that processing would entail great risk, unless the responsible party takes measures to reduce it, the responsible party shall consult with the Data Protection Authority before the processing begins, cf. Article 30 Act no. 90/2018, Coll. Article 36 of the Regulation. If the Data Protection Authority considers that the planned processing would be in breach of Regulation (EU) 2016/679, especially if the guarantor has not identified or reduced the risk satisfactorily, the institution shall provide the guarantor and, as the case may be, the processor with written advice and may use all their powers referred to in Articles 41-43. gr. of the Act, cf. Article 58 of the Regulation.
By e-mail on 11 June 2020, the Office of the Medical Director of Health requested prior consultation with the Data Protection Authority in connection with disease control measures at the Icelandic border from 15 p.m. The e-mail was accompanied by an assessment of the impact on privacy due to the proposed measures, a draft e-mail that passengers on their way to Iceland would receive after completing the pre-registration form, where they would decide whether they were going to be sampled or quarantined upon arrival in Iceland, and a diagram with an overview of the main systems and the flow of information between them. A copy of Regulation no. 580/2020, on quarantine, isolation and sampling at the Icelandic border due to COVID-19. Privacy received an updated assessment of the impact on privacy on 12 June 2020 and additional information by e-mail on 14 June.
The Office of the Medical Director of Health's statement states that the analysis of samples of those who choose to undergo sampling is carried out under the responsibility of Landspítali's Department of Pathology and Virology in accordance with an agreement with the Chief Epidemiologist. Icelandic Genetics then performs the analysis according to an agreement with the hospital's pathology and virology department. Sample analysis staff only have access to sample number information and no personal information about the passengers in question. All samples are removed as soon as possible after the result is available, cf. Paragraph 7 Article 4 Regulation on quarantine, isolation and sampling at the Icelandic border. Positive samples may, however, be sent for further examination for medical purposes, if necessary. When the result is available, it is sent to the quarantine database and the number of the sample in question is linked to the registered passenger. Information on a negative result is automatically deleted from the infection control database 14 days after it is available.
The Data Protection Authority provided the Office of the Medical Director of Health with advice by letter dated June 14, 2020. The letter states the Data Protection Authority's assessment that there is no reason to believe that the processing of personal data that the disease control measures at the Icelandic border would entail, as described in the Office of the Medical Director of Health's, would violate Act no. 90/2018 or Regulation (EU) 2016/679. It was the assessment of the Data Protection Authority that the assessment of the impact on privacy protection due to the measures also meant that an attempt had been made to restrict the personal information that would be processed, as well as access to it.
It is being examined here whether the processing covered by the above assessment of the impact on personal data protection is comparable to the processing of personal data in the part of Landspítali's Department of Microbiology and Virology that was located at the Icelandic Genetics office. This assessment takes into account in particular the difference in the nature of the employees of Íslensk erfðagreining's access to the personal information that was processed. During the border screening, which began on 15 June 2020, the company's employees, according to the original arrangement, only had access to sample numbers when analyzing samples. The situation here is that the samples that were taken at the health center, ie. so-called characteristic samples, were identified by a code that could be traced back to an individual in the Virlab system of Icelandic Genetics. The names and artificial ID numbers of the individuals who had been diagnosed positive in border screening were registered in the same system that was accessible to three of the company's employees.
In light of the fact that employees of Icelandic Genetics gained access to the personal data of COVID-19 patients when part of Landspítali's pathology and virology department was located at the company's office, the Data Protection Authority's assessment is that the processing of the above impact assessment is not comparable. processing under consideration here. In accordance with the above, it is the opinion of the Data Protection Authority that a new assessment of the impact on privacy protection should have been carried out, cf. Paragraph 1 Article 29 Act no. 90/2018, on personal protection and the processing of personal information, cf. Paragraph 1 Article 35 of Regulation (EU) 2016/679, before part of the activities of the Department of Pathology and Virology at Landspítali were transferred to the office of Icelandic Genetics.
5.
Security of the data at the Icelandic Genetics office
The person responsible for the processing of personal data shall take appropriate technical and organizational measures which take e.g. based on the nature and extent of processing and risk for the rights and freedoms of registered individuals to ensure and demonstrate that the processing meets the requirements of the Privacy Regulation (EU) 2016/679, cf. Paragraph 1 Article 24 of the Regulation.
Taking into account the latest technology, the cost of implementation and nature, the scope, context and purpose of the processing and the risks, different and less serious, for the rights and freedoms of individuals, both the process and the processing itself must make appropriate technical and organizational measures, such as the use of pseudo-identifiers, designed to enforce the principles of privacy protection, and incorporate the necessary protection measures into the processing to meet the requirements of the Regulation and protect the rights of registered persons, cf. Paragraph 1 Article 25 of the Regulation.
The responsible party shall take appropriate technical and organizational measures to ensure that only the personal data necessary for the purpose of the processing at any given time are processed. This obligation applies e.g. on access to personal information. In particular, it shall be ensured that it is a matter of course that personal information will not be made accessible to an unlimited number of people without the intervention of the individual in question, cf. Paragraph 2 Article 25 of the Regulation.
With reference to the same considerations as above, appropriate technical and organizational measures shall be taken to ensure adequate security against the risks, such as the use of pseudo-identification or encrypted personal data. When assessing adequate safety, particular consideration shall be given to the risks involved in the processing, e.g. that information be published or that access to it be granted without permission, cf. Paragraphs 1 and 2 Article 32 of the Regulation.
The Data Protection Authority considers that in assessing the nature of the processing of personal information in question and the risk for the data subjects, it was important that their health information was processed inside the office of a party other than the responsible party.
In view of the above provisions, the nature of the processing in question and the risks involved in it for registered individuals, it was extremely important that the epidemiologist ensure the security of the personal information processed under his responsibility inside the Icelandic Genetics office. For this purpose, it would have been necessary to control e.g. access to them so that they would not be made accessible to those who should not have access.
In Landspítali's answers, e.g. traced that access control was to the Virlab system of Icelandic Genetics, which stored the personal identifiers of registered individuals. Only three of the company's employees had access to the system that required access to it due to their work, but they were involved in the needs analysis for its design, programming and making the necessary updates. They were responsible for ensuring that the processing of the samples was in accordance with legal and quality requirements made for the company's laboratory, e.g. The ISO 9001 quality standard.
From Landspítali's answers and the available data in the case, it cannot be concluded that the security of the personal information was deficient, but it should be emphasized that a new assessment of the impact on personal protection had to be carried out. This refers to the above-mentioned legal provisions on the responsibility of the responsible party, built-in and default personal protection and security in the processing of personal information.
6. Summarized conclusion
It is the conclusion of the Data Protection Authority that the assessment of the impact of the proposed processing measures on the protection of personal data, which was used as a basis when part of Landspítali's Department of Microbiology and Virology moved to the Icelandic Genetics office, did not meet the requirements of Act no. 90/2018, Coll. Regulation (EU) 2016/679.
It is also the conclusion of the Data Protection Authority that there is no evidence that the lack of appropriate technical and organizational measures has resulted in the security of the personal data not meeting the requirements of Act no. 90/2018, Coll. Regulation (EU) 2016/679.
In this connection, it should be emphasized that the role of the Data Protection Authority is e.g. to monitor the implementation of legislation on the processing of personal information, cf. Paragraph 1 Article 39 Act no. 90/2018, and the institution may discuss individual cases and take a decision on its own initiative, cf. Paragraph 3 the same provision as point 2. Article 41 of the Act, cf. paragraph 1 (b) Article 58 Regulation (EU) 2016/679.
The responsible party must also provide the Data Protection Authority with all the information that the institution needs for the implementation of Act no. 90/2018 and Regulation (EU) 2016/679, cf. 1. tölul. Article 41 of the Act, cf. point a of the first paragraph. Article 58 of the Regulation.
As stated at the beginning of this opinion, this was requested in a letter from the Data Protection Authority, dated August 14, 2020, that Landspítali's answers were received before the planned activities of Landspítali's Department of Pathology and Virology begin at the Icelandic Genetics office. Despite this request from the Data Protection Authority, the institution received the requested answers from Landspítali after the transfer in question had taken place and after repeating its mission twice. In the opinion of the Data Protection Authority, this is highly reprehensible in light of the agency's supervisory role.
The Data Protection Authority points out that Act no. 90/2018 and Regulation (EU) 2016/679 and that legislation must be complied with despite a pandemic, as stated in the Declaration of the European Data Protection Board (EDPB) on the processing of personal data in connection with the dissemination of COVID-19, which was issued March 19, 2020.
However, the Data Protection Authority also states that the agency is aware of the threat posed by COVID-19 disease in Icelandic society since the beginning of the epidemic and the pressure that the Icelandic health authorities have been under. In view of these special circumstances, this case has not been put on trial, cf. Paragraph 1 Article 47 Act no. 90/2018.
Note:
The impact assessment on personal protection, which was carried out at the Office of the Medical Director of Health, and was based on the transfer of part of Landspítali's Department of Microbiology and Virology to the Icelandic Genetics office, did not meet the requirements of Act no. 90/2018, Coll. Regulation (EU) 2016/679.
Privacy, November 29, 2021
Ólafur Garðarsson
chairman
Björn Geirsson Sindri M. Stephensen
Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson


    





















  
                    Privacy PolicyLegal DisclaimerAccessibilityService DeskTwitter