Persónuvernd (Island) - Mál nr. 2022050993

From GDPRhub
Revision as of 14:06, 24 January 2024 by 84.113.103.211 (talk)
Persónuvernd - Mál nr. 2022050993
[[File:|center|250px]]
Authority: Persónuvernd (Island)
Jurisdiction: Iceland
Relevant Law: Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Article 9(2)(h) GDPR
Type: Complaint
Outcome: Rejected
Started: 22.12.2023
Decided: 10.01.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Mál nr. 2022050993
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Mál nr. 2022050993 (in IS)
Initial Contributor: sh

The Icelandic DPA rejected a complaint about the sharing of medical data by the City of Reykjavík as the exemption Article 9(2)(h) GDPR applied.

English Summary

Facts

The data subject applied to the City of Reykjavík (the controller) to continue receiving state-funded child care. By proving her medical inability to work, the state is legally obliged to provide child care for her. She therefore sent her medical certificate assesing her fitness to work to the controller. She signed a consent form, where it was stated that the data that would be obtained on the basis of it would not be used for any other purpose than to process the application.

Nonetheless, her medical certificate was handed over between departments and divisions of the city, as well as to the city attorney and from there to third parties (court-appointed appraisers).

The data subject complained that her confidentiality had not been respected and that the city did not implement appropriate technical and organisational measures

Holding

The Icelandic DPA rejected the complaint on the basis of Article 6(1)(C) GDPR as the processing was necessary for compliance with a legal obligation to which the controller was subject to.

First, the assesment of her medical condition, and thus the processing of her medical certificate by the controller is a mandatory requirement under national law. In order to receive state-funded child care, it is required that a medical certificate be provided.

Second, the city attorney represents the City of Reykjavík and its institutions. His access to the medical certificate was also required by national law because due to doubts about the wording in the complainant's medical certificates, the School and Leisure Department of the City of Reykjavík requested a legal opinion from the city attorney on whether the medical certificate in question met the aforementioned conditions of the regulation on work skills.

Third, the communication by the city attorney of the complainant's personal information to her attorney and court-appointed evaluators was legally processed under Article 6(1)(f). The data subject was (at the time) party to another civil case before the courts. The parties to a civil case before the courts have a legitimate interest in its outcome. The DPA decided that the parties to the dispute must be given some leeway in assessing what personal information is necessary to work with in order to resolve the legal dispute and in what way.

Last, while the processing of her medical certificate qualifies as health data under Article 9 GDPR. The DPA decided that the controller could rely on the exemption outlined in Article 9(2)(h) GDPR.

Comment

The DPA could have also allowed the city attorney to be excempted from processing health data under Article 9(2)(f) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

The City of Reykjavík's processing of personal information in connection with work permits and the city attorney's sharing of some of them with attorneys and assessors for court cases

Case no. 2022050993

10.1.2024

When personal information is made available to different areas of the same responsible party, it is not considered sharing, but the use of personal information. In addition, sharing an individual's personal information with a lawyer who is representing him is considered equivalent to sharing it with the individual himself.

Personal data protection has considered that the parties to a civil case before the courts have a legitimate interest in its outcome and believes that they must be allowed some leeway in assessing what personal information is necessary to work with in order to resolve the legal dispute and in what way.

----

Personal protection ruled in a case where a complaint was made about the delivery of sensitive personal information of the complainant, who had worked with the school and leisure department of the city of Reykjavík, between the departments of the city and to the city attorney in connection with the renewal of the work permit for a daycare in a home on the one hand. However, over the sharing of sensitive personal information by the city attorney to the complainant's attorney and court-appointed assessors in connection with a compensation case she filed against the City of Reykjavík due to an accident at work.

Personal protection came to the conclusion that the processing of the City of Reykjavík in connection with the complainant's work permit application by the city, i.e. on m. the delivery of a medical certificate to the city attorney for a legal assessment requested by the school and leisure department would have been in line with the provisions of the Act on Personal Protection and Processing of Personal Information.

The Personal Protection Agency then came to the conclusion that the interests of the City of Reykjavík outweighed the sharing of medical certificates to the complainant's lawyer and the court-appointed assessors, but the complainant's interests and fundamental rights and freedoms were outweighed by the fact that the sharing did not take place. Personal protection therefore came to the conclusion that the sharing of the data was in accordance with the law.

Ruling

about a complaint about the processing of personal data by the City of Reykjavík in case no. 2022050993:

i

Procedure

On May 27, 2022, Personal Protection received a complaint from [A] (hereinafter the complainant), regarding the handing over of sensitive personal information about her, which had been worked with at the Reykjavík City School and Leisure Department, between the city's departments and to the city attorney in connection with the renewal her work permit for home daycare. On the other hand, over the city attorney's sharing of sensitive personal information about her to her attorney and court-appointed assessors in connection with a compensation case she filed against the City of Reykjavík due to an accident at work.

Personal Protection invited the City of Reykjavík to comment on the complaint by letter, dated 13 April 2023, and the city's answers were received on 11 June s.á. The complainant was then given the opportunity to submit comments to the City of Reykjavík's responses by letter, dated 4 May s.á., repeated on 5 July s.á., and received by e-mail 19. s.m. On September 26, 2023, the complainant called the Personal Protection Agency and requested to submit additional data in the case. By e-mail on the same day, six documents were received from the complainant.

When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

The processing of the case has been delayed due to the heavy workload at Personal Protection.

___________________

The complainant relies on the fact that she signed a consent form, dated February 23, 2021, where it was stated that the data that would be obtained on the basis of it would not be used for any other purpose than to process the application, but this was not adhered to and the data, i.e. on m. medical certificate, dated March 18, s.á., has been handed over between departments and divisions of the city, as well as to the city attorney and from there to third parties, i.e. of the aforementioned court-appointed appraisers. Confidentiality has not been respected and technical measures such as access control have not been taken care of. It is also stated that data collection in assessment cases should be carried out by the assessors, that the city attorney should not have handed over the data in question at first glance, and that the assessors should have sought them from the complainant's lawyer.

With the complainant's answers in the later stages of the case, i.a. Consent form from the City of Reykjavík regarding the processing of her personal data during the assessment of the fitness to work by a confidential physician, signed by the complainant on February 23, 2021. Regarding the handling of data within the City of Reykjavík, the city relies on the fact that the complainant submitted an application for the renewal of a home day care work permit on May 29, 2020. In connection with the application, the complainant also submitted a medical certificate, dated 25. s.m., where certain health problems were described but it was also noted that there was nothing against the complainant working with children. When the complainant's work permit expired on August 20, 2020, the City of Reykjavík's school and leisure department requested an advisory legal opinion from the city attorney regarding the certificate, given that another case concerning the complainant was pending before the courts, i.e. aforementioned damages case. The City of Reykjavík also relies on the fact that there was no real mediation as the city attorney is acting as a representative for damages claims directed against the City of Reykjavík, and therefore it was one and the same responsible party. On September 3, 2020, the city attorney gave his opinion that the medical certificate did not meet the provisions of regulation no. 907/2005 on daycare in homes, cf. amending regulation no. 409/2023. If the complainant has been notified, by letter of the day. September 10, 2020, about the city's position and that it was planned to refuse the request. Furthermore, the complainant was invited to present new data and points of view before the final decision on processing the application was made. The complainant objected to the City of Reykjavík's position, referring to the fact that the certificate specifically stated that nothing would prevent the complainant from working with children, but the complainant did not submit a new medical certificate. On December 9, 2020, the complainant was informed of the rejection of her request for the renewal of the work permit. By letter, dated On January 21, 2022, Reykjavík City's school and leisure department invited the complainant to undergo an assessment of occupational fitness by a confidential physician and a form for informed consent was included with the letter. By e-mail on February 9, s.á. if the complainant's lawyer has conveyed his client's views regarding the approval. In a letter from the City of Reykjavík, dated 18. s.m., it was clearly stated that if the complainant chooses to submit the certificate of a confidential physician and intends to rely on it, the City of Reykjavík employees involved in decision-making or counseling would have the right to access the certificate in question along with other documents accompanying the application.

Regarding the delivery of data to the appraisers, the City of Reykjavík relies on the request of the complainant's lawyer to the Reykjavík District Court, dated 22 November 2022, he has, with reference to paragraph 1 Article 77 in XII. chapter of law no. 91/1991 on the handling of civil cases, cf. IX. section of the law, it was requested that two impartial and expert men be summoned to the court to assess the consequences of the accident at work which was the cause of the aforementioned compensation case filed by the complainant. As a basis for that case, the complainant submitted over 40 documents, i.a. a medical certificate stating that she was totally unable to work. In the opinion of the City of Reykjavík, it was wrong that the complainant declared that she was in good health in one case, but completely unable to work in another case in her litigation against the City of Reykjavík. There was therefore a large inconsistency in the information provided about her work skills in the two cases. Given that the complainant informed the City of Reykjavík about the information, it will be considered that the complainant should have known that it would be used to defend against her legal claims. In addition, the complainant's lawyer was simultaneously sent the documents in question.

The City of Reykjavík also relies on the fact that personal information is stored securely by the city within the city's document storage systems and that its storage is access-controlled. The information is shared in locked documents between departments and offices, and this was also the case when the school and leisure department sent the aforementioned data to the city attorney. Personal information about the complainant was only sent to those who necessarily needed access to it, and reasonable care was thus taken during the processing. In addition, all City of Reykjavík personnel are bound by the statutory duty of confidentiality and confidentiality.

II.

Conclusion

1.

Delimitation of case – Guarantor

On the one hand, this case concerns the handing over of medical certificates about the complainant, which she had submitted to the school and leisure department, to the city attorney. In this regard, it should be noted that it cannot be determined from the documents of the case that the certificates were otherwise handed over between the departments and departments of the city, as the complaint seems to assume. On the other hand, the case concerns the city attorney's delivery of the certificates to the complainant's attorney and the assessors in the compensation case. The case concerns the processing of personal data that falls under the authority of the Personal Protection Agency.

The person responsible for ensuring that the processing of personal information complies with the Personal Data Protection Act is referred to as the responsible party. Individual departments and divisions of a legal entity are not considered independent parties responsible for the processing of personal information. It is also clear that the city attorney represents the City of Reykjavík and its individual departments and institutions on legal matters and for compensation claims directed against the city. Therefore, the City of Reykjavík is considered to be the party responsible for the processing in question according to Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679.

With reference to the above, it was not a case of sharing personal information from one responsible party to another, when information about the complainant was handed over to the city attorney in connection with the city's activities. It did, however, mean that personal information was made available to employees at the city, and to that extent it involved the processing of personal information about the complainant, as is the case here.

Also, the communication of the complainant's personal information to a lawyer, who is representing her in a dispute where the information is relevant, is considered to be communication to herself.

2.

Lawfulness of processing

2.1

Legal environment

All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. For example, personal data may be processed if the processing is necessary to fulfill a legal obligation that rests on the responsible party, cf. Number 3. of the legal provision and point c of the regulatory provision, as well as if the processing is necessary due to the legitimate interests of the responsible party or a third party unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh, cf. Number 6. of the legal provision and section f of the regulatory provision. In addition, the processing of sensitive personal data must be compatible with one of the additional conditions of paragraph 1. Article 11 of the law, cf. Paragraph 2 Article 9 of the regulation. According to point b of 3. no. Article 3 according to the law, health information is sensitive, but a complaint must indicate that information about the complainant's health has been processed. As is the case here, item 8 comes into consideration in particular. Paragraph 1 Article 11 of the law, to the effect that the processing of personal information is permitted if it is necessary to prevent diseases or for occupational medicine, to assess an employee's work skills, diagnose diseases and provide care or treatment in the field of health or social services and there is a special legal authorization for it, since if it is performed by an employee of such a service who is bound by a duty of confidentiality, cf. h-item 2. paragraph Article 9 of the regulation, and item 6. Paragraph 1 Article 11 of the law, to the effect that the processing of sensitive personal information is permitted if it is necessary to establish, maintain or defend legal claims, cf. point f, paragraph 2 Article 9 of the regulation.

When evaluating authorization for processing, provisions in other laws that are applicable in each case must also be taken into account. As is the case here, law no. 40/1991 on municipal social services, Act no. 91/1991 on the handling of civil cases and regulation no. 907/2005 on daycare for children in homes. These legal sources will be discussed below as appropriate.

In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 of regulation (EU) 2016/679. The principles stipulate, among other things, that personal data must be processed in a lawful, fair and transparent manner towards the data subject, cf. Number 1. of the legal provision, that they must be obtained for a clearly specified, legitimate and relevant purpose and not further processed for other and incompatible purposes, cf. Number 2. of the legal provision, that they must be sufficient, appropriate and not beyond what is necessary based on the purpose of the processing, cf. Number 3. of the legal provision, and that they must be processed in such a way that the appropriate security of the personal information is guaranteed, cf. Number 6. of the legal provision.

2.2

The City of Reykjavík's processing of the complainant's personal information in connection with her application for a home day care work permit

Licensing for day care of children in homes came under the Reykjavík City School and Leisure Department from September 12, 2011 until January 1, 2022, when the Quality and Supervision Agency for Welfare took over the issuance of such licenses. Accordingly, the licenses in question fell under the school and leisure sector.

In the case it is known that on May 29, 2020, the complainant applied for the renewal of his work permit for day care at home. In Article 13 regulation no. 907/2005 on daycare for children in homes, which was established with authorization in Article 34. Act no. 40/1991 on municipal social services, with subsequent amendments, stipulates conditions for such licensing. In number 3 Article 13 of the regulation, it is required that the applicant for a work permit confirms with a medical certificate that no signs of a disease have been found that could prevent him from taking on daycare for children at home. Also that other members of the household have been examined and that nothing wrong with their health has been found that would prevent them from living together with children.

From the above, it can be deduced that according to the mentioned regulatory provision, the City of Reykjavík's mandatory assessment of the work skills of applicants for the aforementioned work permit, i.e. on m. on the basis of submitted medical certificates.

The City Attorney represents the City of Reykjavík and its institutions, i.a. on legal matters. It is also known that due to doubts about the wording in the complainant's medical certificates, the School and Leisure Department of the City of Reykjavík requested a legal opinion from the city attorney on whether the medical certificate in question met the aforementioned conditions of the regulation on work skills.

In light of the above, the Personal Protection Authority believes that the City of Reykjavík's processing of personal information about the complainant could have relied on an authorization according to section 3. Article 9 Act no. 90/2018, cf. also point c, paragraph 1 Article 6 of regulation (EU) 2016/679. In addition, the City of Reykjavík's Personal Data Protection considers the processing of the complainant's sensitive personal information to have been able to rely on section 8. Paragraph 1 Article 11 of the Act and point h of paragraph 1 Article 9 of the regulation.

3.2

Communication by the city attorney of the complainant's personal information to her attorney and court-appointed evaluators

According to the available data, the complainant filed a compensation case against the City of Reykjavík due to a work accident she had on March 21, 2020. In the case, a medical certificate was submitted by the complainant stating that she was completely unable to work. It was also revealed that the city attorney, who represented the City of Reykjavík in the compensation case, had given his opinion on the complainant's second medical certificate for the renewal of her application on May 29, 2016. about a work permit for daycare in a home. In that certificate it was stated that there was nothing against the complainant working with children. The City of Reykjavík therefore had data with conflicting information about the complainant's health and work skills. On the part of the City of Reykjavík, it is based on the fact that the processing of personal information about the complainant was necessary in order to protect the city's legitimate interests. The city attorney believed that the discrepancy in the information could be important in the resolution of the legal dispute and passed the certificates to the complainant's attorney and to the assessors that the complainant herself had requested to be summoned to make an assessment in the case.

Personal protection has considered that the parties to a civil case before the courts have a legitimate interest in its outcome. In addition, the Personal Protection Authority has considered that the parties to the dispute must be given some leeway in assessing what personal information is necessary to work with in order to resolve the legal dispute and in what way. Also, the legal custody rule is an unwritten basic rule in Icelandic civil law and is based on, among other things, on the fact that the parties gather evidence themselves.

Taking into account the fact that the city attorney represented the City of Reykjavík in the case in question and the available documents and explanations of the parties involved in the legal dispute in the compensation case, it must be considered that the interests of the City of Reykjavík in sharing the data outweighed the interests and fundamental rights and freedoms of the complainant that the mediation does not take place, cf. Number 6. Article 9 Act no. 90/2018, cf. point f, paragraph 1 Article 6 of regulation (EU) 2016/679.

In terms of the city attorney's sharing of personal information about the complainant's state of health to her attorney and the court-appointed evaluators, it is also the opinion of the Personal Protection Agency that she was able to rely on the conditions of section 6. Paragraph 1 Article 11 of the law, cf. point f, paragraph 2 Article 9 of the regulation, which refers to the fact that the processing of sensitive personal data is permitted if it is necessary to establish, maintain or defend legal claims.

3.3

Fair and transparent processing – Education – Security of information

It will then be examined whether the processing has been compatible with the principles of paragraph 1. Article 8 Act no. 90/2018 and paragraph 1 Article 5 of regulation (EU) 2016/679, i.a. whether the personal data has been processed in a lawful, fair and transparent manner, whether it has been obtained for a clearly specified, legitimate and legitimate purpose and not further processed for other and incompatible purposes, whether reasonable care has been taken and whether the appropriate security of the information has been ensured, cf. 1., 2., 3. and 6. number. Paragraph 1 Article 8 of the Act and points a, b, c and f of paragraph 1. Article 5 of the regulation.

The requirement for fair and transparent processing of personal information includes, among other things, states that individuals should be aware when personal information about them is collected, used, viewed or processed in another way. More detailed rules on transparency and education are in 12.-15. art. of regulation (EU) 2016/679, cf. Article 17 Act no. 90/2018, which stipulates the notification and education obligation of responsible parties and the information and access rights of registered persons and the limitations thereof. In 1.-3. paragraph Article 13 of the regulation deals with the information that must be provided when collecting personal information from a registered person. According to paragraph 4 Article 17 of the Act and paragraph 1 Article 23 of the regulation, however, it is permitted to limit the right of the registered person according to Article 13. of the regulation, such a restriction respects the nature of fundamental rights and human freedom and is considered a necessary and moderate measure in a democratic society, i.a. to ensure that private legal requirements are met, cf. Number 7. Paragraph 4 Article 17 of the Act and point j of paragraph 1 Article 23 of the regulation. In addition, it is permitted to limit the obligation to educate the complainant to the extent that the registered person has already received knowledge of the processing, cf. Paragraph 4 Article 13 of the regulation.

As regards the transparency requirement in connection with the renewal of the complainant's work permit, it is the assessment of the Personal Protection Authority, i.a. in light of the complainant's consent to the processing of the occupational fitness assessment of the City of Reykjavík's confidential physician, that paragraph 4. Article 13 of the regulation applied. There is therefore no violation of the privacy legislation in that regard.

As regards the processing of the complainant's personal information due to a legal dispute in a compensation case, it is considered that it could impair the right to protect one's interests in a normal manner in a court case, to have to inform in advance how the case preparation will be conducted and on which data will be based. Furthermore, the Data Protection Authority believes that the complainant should have been aware that the City of Reykjavík, as a party to the case initiated by the complainant, would work with the personal information that is being discussed here, but the complainant submitted the information himself and based his case preparation on part of it. In light of these points, Personal Protection considers item 7. Paragraph 4 Article 17 Act no. 90/2018 and paragraph 4 Article 13 regulations (EU) have been applicable in the case and that there was no need to provide special education here.

In addition, it will not be considered that when personal data is used for the resolution of a legal dispute, and it is relevant in that regard, processing is carried out for other and incompatible purposes compared to the one originally based on, cf. Paragraph 3 Article 13 and point b of paragraph 1 Article 5 of regulation (EU) 2016/679, cf. also number 2. Paragraph 1 Article 8 Act no. 90/2018. It will not be seen that the information in this case was meaningless due to the legal dispute in question, and therefore it is not considered that the aforementioned provisions have been violated.

The City of Reykjavík's explanations also state that its filing systems are access-controlled and that the complainant's data was sent between departments in locked documents. Furthermore, the information was only sent to those who absolutely needed access to it and that proportionality was observed during the processing. In addition, all City of Reykjavík personnel are bound by the statutory duty of confidentiality and confidentiality.

With reference to all of the above, it is the conclusion of the Personal Protection Agency that the processing of personal information that is being resolved has been consistent with the principles of paragraph 1. Article 8 Act no. 90/2018 and paragraph 1 Article 5 of regulation (EU) 2016/679.

In addition, it is the opinion of the Data Protection Authority that the City of Reykjavík has taken appropriate technical and organizational measures when processing the complainant's personal information to ensure adequate security of the complainant's personal information, cf. Article 27 Act no. 90/2018, cf. Article 32 of regulation (EU) 2016/679.

Ruling:

The City of Reykjavík's processing of personal data [A], i.e. on m. her health information, in connection with the application for a permit for daycare in a home, was compatible with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

The City of Reykjavík's sharing of personal information [A], i.e. on m. her health information, to court-appointed assessors and her lawyer, in accordance with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

Privacy, December 22, 2023

Þórður Sveinsson                           Rebekka Rán Samper