Persónuvernd (Iceland) - Case no. 2021112113

From GDPRhub
Persónuvernd - Case no. 2021112113
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1) GDPR
Article 6(1)(c) GDPR
Law no. 37/1993 on "The Right to Information and the Duty to Provide Guidance"
Type: Complaint
Outcome: Rejected
Started:
Decided: 22.12.2022
Published: 22.12.2022
Fine: n/a
Parties: n/a
National Case Number/Name: Case no. 2021112113
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Icelandic DPA (in IS)
Initial Contributor: n/a

The Icelandic DPA rejected a complaint concerning an alleged unlawful disclosure of personal data by a public authority. The authority had been legally obliged to share the data based on the applicable freedom of information law.

English Summary

Facts

The controller is the Icelandic Office of the National Medical Examiner. The controller was established by national law and supervised health services and health workers and dealt with complaints from the public regarding health services. The data subject was the head of a medical department. At an unspecified time, "association X", a non-profit organisation representing the interests of patients, sent a message to the controller which criticised the management of the data subject's department and made suggestions to its improvement. Considering the suggestions, the controller started an official investigation case.

According the Icelandic administrative law, the complainant is a party to the investigation. Further, based on law no. 37/1993 on "The Right to Information and the Duty to Provide Guidance", the parties to a case enjoy the right to be informed about it. Therefore, after the association sent multiple inquiries, the controller shared personal information about the data subject (the head of the department) in a letter which included, among other things, information that the data subject had been placed on indefinite leave and another person had taken over his job.

Subsequently, the data subject issued a complaint the Icelandic DPA and argued that the controller had no legal basis for the processing. The data subject believed that the comments of the controller in the letter, regarding his indefinite leave, were presented as if they were specific sanctions due to what was stated in the criticism of association X. Moreover, the data subject believed that the association X was not a party in the investigation case and, thus, disclosure of such information could not have been possibly based on a law. (The data subject's arguments, as presented by the decision, do not go further in depth. However, it can be presumed that the data subject is, in effect, arguing the following: First, if the processing of the personal data can not be based on a law, Article 6(1)(c) GDPR cannot be used as a legal basis. Second, there is no apparent legitimate interest present for the processing which would overwrite the data subject's interests in the personal data not being disclosed, as would have been required for Article 6(1)(f) GDPR. Therefore, there had been no legal basis for the processing which made it unlawful.)

Conversely, the controller responded that it had been legally obliged to share the personal information in the letter in question after repeated inquiries by the association X about the status of the investigation.

Holding

The DPA rejected the complaint and held that the controller had processed the personal data in line with its legal duties and thereby had observed all principles of the GDPR.

First, it noted that all processing had to be based on Article 6(1) GDPR. In the case at hand, processing would, mostly likely, be based on Article 6(1)(c) GDPR, which stipulates that personal data may be processed if it is necessary to fulfil a legal obligation that rests on the controller. According to national law, the main role of the controller was, among other things, to supervise health services and health workers and to deal with complaints from the public. Moreover, the controller was authorized to process personal information to fulfil statutory duties according to the law.

Second, the DPA assessed whether association X was entitled to information concerning the investigation case. The data subject argued that since association X did not act on behalf of specific patients, it could not have been involved in the investigation. On the other hand, based on the arguments of the controller, association X acted on behalf of all its members and, therefore, was an interested party to the case. The DPA pointed out that participation to an administrative case, such as the concerned investigation, depend on having a direct, unique, significant, and legally protected interest in the resolution of the case. Moreover, although non-profit organisation may act on behalf of parties in an administrative case, it is also recognized that they can be a party to proceedings for the sake of their members if a significant part of the members have a unique and significant interest in the resolution of a case and if the interest is a declared purpose of the organization. The DPA considered that the association was a party due to the latter conditions being fulfilled. Therefore, the association had a right to access documents and other data related to the investigation. The concerned letter sent by the Office to the investigation intended to summarize the existing case file. Consequently, the processing was legal pursuant to Article 6(1)(c) as it was necessary for the controller to fulfil its legal duties.

Third, the DPA had to assess whether the controller complied with the principles set out in Article 5(1) GDPR, such as lawfulness, fairness, and transparency. The personal data must have been processed in a sufficient and appropriate manner in a way which would not go beyond what was necessary based on the purpose of the processing. The DPA held that the controller had complied with these principles. As the subject matter of the investigation concerned the management of the department, of which the data subject was the head of, the controller could hardly redact all information concerning him. Moreover, the personal data included in the letter was materially limited and directly concerned the measures that had been taken in connection with the criticism of association X. Therefore, the DPA decided that the controller had complied with all principles of Article 5(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Processing of personal information by the National Medical Examiner's Office

Case no. 2021112113

22.12.2022

The processing of personal information must be based on the principles of the personal protection legislation. Personal data must, among other things, be processed in a fair manner and be sufficient, appropriate and not beyond what is necessary in each case based on the purpose of the processing. In this case, the processing of personal data was considered to be in accordance with the principles. It was ensured that information about the complainant was materially limited and shared with the purpose of informing the parties about the status of the administrative case and the content of the case file.

----

Personal data protection ruled in a case where there was a complaint about the processing of personal data by the Office of the National Medical Examiner. More specifically, it was complained that the Office of the National Medical Examiner had shared personal information about the complainant in a letter to an association following the association's suggestions to the office regarding the treatment of patients in the area of the Landspítala that the complainant managed. The letter contained information that the complainant had been placed on indefinite leave and someone else had taken over his job.

The conclusion of the Personal Protection Agency was that the information about the complainant contained in the letter in question was materially limited, but did directly concern the remedies that had been taken in connection with the associations' suggestions. Personal protection considered that the arrangements for the provision of information by the National Medical Examiner's Office had been reasonable and that it had also been ensured that the information was sufficient, relevant and not beyond what was necessary based on the purpose of the processing, i.e. to inform the parties of a case about its status and the content of the case file.

Ruling

about a complaint about the processing of personal data by the Office of the National Medical Examiner in case no. 2021112113:

i
Procedure
1.
Outline of a case

On 2 November 2021, Personal Protection received a complaint from [A] (hereinafter the complainant). The complaint was based on the fact that the Office of the National Medical Examiner had shared personal information about the complainant in a letter to [association X] following the association's suggestions to the office [regarding] the treatment of patients in that area of Landspítali, where the complainant was the head of department. More specifically, the letter contained information that the complainant had been placed on indefinite leave and another person had taken over his job.

Personal protection invited the Office of the National Medical Examiner to comment on the complaint with a letter dated 17 August 2022 and the office's answers were received by email on 19 September s.á. The complainant was then given the opportunity to express comments on the answers of the Office of the National Medical Examiner with a letter dated 21. p.m., and they were received by e-mail on 13 October s.á.

When resolving the case, all of the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

2.
The main points of view of the parties

There is a dispute as to whether the Office of the National Medical Examiner was authorized to share personal information about the complainant in the letter in question to [association X].

The complainant essentially relies on the fact that the transmission of personal information about him to [association X] by the Office of the National Medical Examiner was unlawful, as there was no authorization for the processing according to Article 9. Act no. 90/2018 on personal protection and processing of personal information. The complainant believes that the comments of the Office of the National Medical Examiner regarding his indefinite leave were presented as if they were specific sanctions due to what was stated in the suggestions of [association X] to the office. The complainant believes that [the non-profit organization X] was not involved in the case that was handled by the Office of the National Medical Examiner as a result of those suggestions. The complainant also notes that the office did not give him the opportunity to comment on the information before it was sent to [the non-profit organization X], to his displeasure. Finally, the complainant believes that the personal information in question was confidential information, but in this regard he refers to paragraph 1. Article 7 Information Act no. 140/2012, to the effect that the public's right to access data according to that law does not cover matters of job applications, job advancement and the employment relationship in other respects.

On the part of the National Medical Examiner's Office, it is based on the fact that the processing in question was based on items 3 and 5. Article 9 Act no. 90/2018, where the office has a legal obligation to supervise health services and exercise public authority for that purpose, cf. II. chapter of law no. 41/2007 on the national doctor and public health. The suggestions of [association X] have been responded to by starting an inspection case and the office's relations with [the association] have been based on the rules of the Administrative Law on the right to information and the duty to provide guidance, but the letter in question has been sent following repeated inquiries about the status of the case. The association appeared on behalf of its members, [...] who had an interest in the resolution of the case, but at the same time the office informed the association that individual members could present a complaint. The office also believes that the processing was in line with the principles of the Personal Protection Act, as the processing was lawful and fairness and proportionality were observed, given that limited information about the complainant was provided. The office states that since it is a control issue, it was difficult to educate the complainant about what information about him might be processed. Finally, the Office of the National Medical Examiner is based on the fact that it was unavoidable to process the complainant's personal information during the handling of the inspection case, as the suggestions of [association X] were mainly focused on the management of the department that the complainant headed.

II.
Conclusion
1.
Limitation of case - Scope - Responsible party

This case pertains to the National Medical Examiner's Office sharing personal information about the complainant to [association X] during the handling of an inspection case at the office. However, the case does not relate to other processing of said information by the office.

Scope of law no. 90/2018, on personal protection and processing of personal data, and regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of Personal Protection, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic. The processing to which this case relates falls under the scope of the law and the regulation and thus under the authority of the Data Protection Authority.

As is the case here, the Office of the National Medical Examiner is considered to be the party responsible for the processing in question according to Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679.

2.
Lawfulness of processing

All processing of personal data is subject to the fact that it falls under one of the authorization provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. As is the case here, item 3 is the preferred item to be considered. of the legal provision, cf. Clause c of the regulatory clause, which stipulates that personal data may be processed if it is necessary to fulfill a legal obligation that rests on the responsible party.

When evaluating authorization according to the quoted provisions, the provisions of other laws that we may have at any given time must be taken into account.

The role of the National Medical Examiner's Office is defined in paragraph 1. Article 4 Act no. 41/2007 on the national doctor and public health. It states that its main role is, among other things, to supervise health services and health workers (point e) and to deal with complaints from the public regarding health services (point j). In accordance with paragraph 4 of the same legal article, the office is authorized to process personal information to fulfill statutory duties according to the law, subject to the fulfillment of the more detailed conditions of law no. 90/2018 on personal protection and processing of personal information.

Next, we will examine whether the provisions of Administrative Law no. 37/1993 is also applicable in relation to the assessment of processing authorization, in particular whether [the non-profit organization X] was entitled to information about the control matter in question on the basis of Article 15 of the law. In that context, it should be noted that law no. 90/2018 do not limit the right to access prescribed in administrative law, cf. Paragraph 2 Article 5 Act no. 90/2018. As regards the complainant's reference to paragraph 1. Article 7 Information Act also refers to paragraph 2. Article 4 of that law, to the effect that they do not apply to access to data according to the administrative law.

On the part of the complainant, it is based on the fact that [non-profit organization X] did not act on behalf of a particular patient and was also not involved in the control case that was being processed by the Office of the National Medical Examiner. On the other hand, it has been stated by the National Medical Examiner's Office that the office considered [non-profit organization X] to act towards the office on behalf of its members [...] and that the office considered that they could have an interest in the resolution of the case. The office has also instructed the association that individual members could present a complaint.

Participation in an administrative case depends on the general membership rules of the administrative law, but according to them, only those who have a direct, unique, significant and legally protected interest in its resolution can participate in a case. Non-profit organizations can act on behalf of parties in an administrative case according to a power of attorney, but it is also recognized that non-profit organizations can have independent membership for the sake of their members, if a significant part of them has a unique and significant interest in the resolution of a case and the protection of these interests is considered one of the declared purposes of the organization. Regarding this, for example, reference is made to the opinions of the Parliamentary Ombudsman from 13 June 2007 in case no. 4902/2007 and from July 6, 2008 in case no. 5475/2008.

When the case preparation of the National Medical Examiner's Office is examined holistically, in the opinion of the Data Protection Authority, it cannot be considered that it is based on the fact that individual members of [association X] have given the organization proper authority to convey a suggestion to the office. Rather, the office seems to have admitted the organization's participation in the monitoring case on the basis of similar points of view to those outlined above. As is the case here, Personal Protection does not consider it necessary to comment on that position. It follows that [the non-profit organization X] [enjoyed] rights according to the provisions of administrative law no. 37/1993 and it is therefore necessary to consider the provisions of that law, as appropriate, when evaluating authorization according to law no. 90/2018 and Regulation (EU) 2016/679.

In the opinion of the Data Protection Authority, the personal data to which this complaint relates, and which was stated in the letter from the Office of the National Medical Examiner to [association X], concerned the monitoring matter that was being processed by the office, and it also considered that the organization was a member, as stated above.

According to Article 15 administrative law no. 37/1993, a party to a case has the right to access documents and other data related to the case. It has been understood that this rule implies that a party to a case has the right to study all the documents of a case, regardless of the form the documents are in and whether they come from the government itself or others.

In the opinion of the Personal Protection Agency, the only thing that can be seen is that the letter in question was intended to summarize the content of the existing case file. In doing so, the Office of the National Medical Examiner sought to respect the statutory right to information [of the association X], without directly providing the association with a copy of the data.

With reference to the above, the Data Protection Authority believes that the processing was necessary in order for the responsible party to be able to fulfill the legal obligation that rested on him according to the above provisions. Therefore, the processing was permitted on the basis of item 3. Article 9 Act no. 90/2018, cf. c-point 1. paragraph Article 6 of regulation (EU) 2016/679.

In addition to authorization, the processing of personal data must be compatible with the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of regulation (EU) 2016/679, which stipulate, among other things, that personal data must be processed in a lawful, fair and transparent manner towards the data subject (section 1 of the legal provision) and that it must be sufficient, appropriate and not beyond what is necessary based on the purpose of the processing (item 3 of the legal provision). The responsible party is responsible for ensuring that the processing of personal information is always compatible with the principles and must be able to demonstrate this, cf. Paragraph 2 Article 8 of the Act and paragraph 2 Article 5 of the regulation.

When assessing whether compliance with the principle that personal data must be processed in a lawful, fair and transparent manner towards the data subject, it may be necessary to consider the provisions of the personal protection legislation on the obligation to educate. As is the case in this case, Article 14 is tested there. of regulation (EU) 2016/679.

It is clear in this case that the Office of the National Medical Examiner responded to the suggestions of [association X] regarding the treatment of patients at [...] Landspítala by starting an inspection case and the office considered it right to inform the association about the status of the case. According to the office's explanations, the sharing of personal information about the complainant was unavoidable, as the suggestions of [association X] focused mainly on the management of the department of which the complainant was the head of department.



In the opinion of the Data Protection Authority, the complainant could hardly hide that information about him would be recorded in the control file of the responsible party, taking into account that the case directly concerned the area of Landspítala that the complainant managed. The Personal Protection Authority also considers that the responsible party has not carried out according to point e of paragraph 1. Article 14 of Regulation (EU) 2016/679 to specifically inform the complainant that his personal data would be communicated to [association X] as a party to the control case. In that regard, the right of the parties to a case to study the documents concerning the case is taken into account according to the aforementioned provision of Article 15. administrative law no. 37/1993, cf. point c, paragraph 5 Article 14 of the regulation on an exception from the obligation to educate the data subject due to the lawful sharing of personal information.

It should also be considered that the information about the complainant that was stated in the letter in question was materially limited, but did directly concern the measures that had been taken in connection with the suggestion of [association X], i.e. that the complainant was on indefinite leave from his job. Also note in this connection that direct and unrestricted access [of the association X] to case documents, instead of a summary, would probably have been more burdensome for the complainant. The Personal Protection Agency therefore believes that with the above-mentioned arrangement of the information provision, the Office of the National Medical Examiner has taken care of fairness towards the complainant and also ensured that the information was sufficient, relevant and not beyond what was necessary based on the purpose of the processing, i.e. to inform the parties of a case about its status and the content of the case file.

To this end, the processing may be compatible with paragraphs 1 and 3. Paragraph 1 Article 8 Act no. 90/2018, cf. points a and c of paragraph 1 Article 5 of regulation (EU) 2016/679.

In view of all the above, the conclusion of the Personal Protection Authority is that the aforementioned processing by the Office of the National Medical Examiner of the complainant's personal information was in accordance with Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

Ruling:

The processing of personal information about [A] by the Office of the National Medical Examiner, which consisted in sharing personal information about him in a letter to [association X], was in accordance with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

Personal data protection, December 22, 2022

Bjarni Freyr Rúnarsson Steinunn Birna Magnúsdóttir