Persónuvernd - 2020010428

From GDPRhub
Persónuvernd - 2020010428
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Fine
Started:
Decided: 5.3.2020
Published: 10.3.2020
Fine: 3,000,000 ISK
Parties: S.Á.Á
National Case Number/Name: 2020010428
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

Persónuvernd imposed a fine of ISK 3,000,000 (approx. 20,000 euro) on the organisation S.Á.Á for a security breach pursuant to Article 5(1)(f) and Article 32 GDPR. The security breach resulted in the disclosure of the names of 3,000 patients and detailed medical records of 252 individuals.

English Summary

Facts

The case and investigation was opened as a result of a data breach notification sent to Persónuvernd from S.Á.Á.

A retired employee, who was the head of the treatment home Vik before retiring, received «a significant amount» of personal data concerning patients, including the detailed medical records of 252 individuals and records of check-ins containing 3,000 names. The personal data was stored in boxes that was sent to the retired employee alongside his belongings.

Dispute

S.Á.Á. did not dispute that a breach of personal data had occurred. However, S.Á.Á. emphasized that the former head packed the boxes himself, and as a former chief he should have been clear about the contents of the boxes. In addition, S.Á.Á. stressed that the incident was related to human error, and that the organization had reviewed their organisational measures to avoid data breaches.

Holding

In the view of Persónuvernd, the delivery of the medical records was a result of lacking technical and organisational measures. The fact that the former employee had packed the boxes himself did not justify the lack of technical and organisational measures that should have prevented such a disclosure from S.Á.Á. as a controller of the personal data.

Comment

Add your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

decision


On March 5, 2020, the Privacy Policy Board made a clear decision in case no. 2020010428 (formerly 2019071408):

I.

procedures

1.

Start of case

On July 21, 2019, Privacy Protection received a notification of security breach from S.A. medical institutions, Efstaleiti 7, 103 Reykjavík. A reference was made to the Facebook post of a former U. S. employee, [A], on July 19, 2019, discussing it when he handed over his personal items after his retirement, which he told U. S. employees. At. have packed down. Then, in the post, he said that when he had gone through this, medical records would be revealed that would have affected the number of former residents of the Sá.á. Was stated in the notification of Sá.Y. that on July 20, 2019, a privacy officer had urged [A] in a call that he had a duty of confidentiality and that he was required to submit the data. Then there had been an email to him the same day as he had said the data was received in the fall of 2018 along with personal items but he had not discovered it until the content review the day the Facebook post was published.

For this reason, the Data Protection Authority contacted [B], Director General of Medicines at S.Á.Á., on July 24, 2019, to ascertain whether the medical records of the organization, which their former employee had in their possession, were important for daily activities S.Á.Á. She did not say that the information from the data was in an electronic health record. A telephone call was also made to [C], the privacy officer of S.A., on the same day, to enable her to provide further information. She went over the process of tightening work processes to ensure data security.

The aforementioned former employee of S.A., [A], also filed a privacy complaint. July 21, 2019. There, he declared that the data was in a locked file in a secure location. He asked for instructions on what to do with the data afterwards, but also pointed out that he would not be in Reykjavik until August 13th. Subsequently, he was in contact with the Data Protection Authority. Requested its agency by letter, dated. July 25, 2019, confirming where the data was stored and how their security was maintained. Reply to Privacy Statement was then received by email on August 13, 2019.

It was stated there that the data had been entered into a locked archive, which was found at the [Healthcare Professionals Office where A worked]. In addition, his description of the case was stated. Specifically, his work at S.Á.Á. have completed […] 2017 in connection with what have been called organizational changes […]. In the last months before his retirement, he had a job at the outpatient department. in Efstaleiti but until then in the treatment home Vík where he has become [commander]. […] Much work has been done in Vík around this time and data from him has been packed down in connection with them and placed in a locked room. It is also stated, among other things, that in the fall of 2018, [employee S.A.] contacted him and requested that he retrieve the data in question, which was then stored in S.A. in the basement ward of Efstaleiti. If he had applied for them to some extent in two car trips, the remainder was S.A. sent by van and it later became clear that the patient data in question had been included, as described earlier. Have they been in a box marked "Patient record + folders + various" and have someone else write it on the box.

Following this reply, [A] sent a joint letter to the Data Protection Authority and the Office of the Director of Health, dated. On August 14, 2019, where the officials announced that it had been decided to direct to him a joint order that the said data should be delivered no later than August 16, 2019. The data was delivered to the Office of the Medical Director of Health on that day and reviewed, which stated that discuss detailed medical records 252 individuals and check-in books from Vík, as well as AA record books from the treatment center in Sogni. Then there was additional data in the home [A] that needed review. Therefore, a visit to the field was taken there together with the Office of the Director of Health on August 21, 2019, and the space where the data was stored, but in the case of […] and the data that was delivered 16 cm had also been there. The data were reviewed for [A] attendance and delivered to them which were relevant for the Office's examination and entered in the records of the Office of the Director of Health. Further privacy review of all data took place on October 31, 2019.

2.

The impact of the security breach

An examination of the content of the data revealed that it contained, among other things, sensitive personal information of patients who had been treated by S.Á.Á. More specifically, the following data is available:

Medical records from 252 individuals (as of 2016).
- Of those, seven were aged 16-17 at the time of registration.

Handwritten sheets and notes with patient information.
Printouts of e-mails about, among other things, a girl in the youth department of S.A.
Three printed documents from 1991 describing specific patients.
Patient lists from the Therapeutic Clinic from 2012, usually 18 years and older at the time of registration but occasionally 17 years.
Check-in books from Vík from 1997-2006 and one from 2009. In them are the following information:
- Names approx. 3,000 patients, often but not always their social security number, as well as phone numbers, sometimes with a spouse or friend.

- Sometimes job title, place of residence (address) and marital status.

- Date of enrollment.

The extension leaflet is marked by the medical institution Vogi.
Nurses' reviews.
Patient behavioral assessments (eg, "is polite", "isolates", "is cynical", "is well-connected", etc.).
Two letters from patients to Vik.
Meeting books of the AA faculty at Sogni for the years 1982–1988, 1999, 1999–2003 and 2005–2007.
Diary from work S.Y. from 2015 with the names of patients and, among other things, enumeration of people in the so-called "mini-group", though not full names;
Guest book from Sogni with entries from, among other patients, from 1978-1989;
Photographs from S.Á.Á.
The most detailed information was found in the aforementioned medical records data from 2016. It was specified in more detail the following data: 

The so-called treatment sheets are titled "Medical record no. … “Provide basic information about the person concerned, ie. social security number, education, marital status, places of employment, housing conditions, child support payments and the number of children provided, but also basic information about the spouse, ie. ID number, job and job locations. Also on the back is a completed questionnaire on symptoms and consumption, including on what topics about advice and participation in the work of the AA and Al-Anon.
The treatment sheets provide additional data, to varying degrees, with information about each patient. These attachments are stapled to the treatment sheets or kept in a folder. Among the available data are nurses' comments about detoxification, notes from family interviews, patient diary entries, medication cards, self-assessment sheets and questionnaires filled out by parents.
The data contains further information on drug use, including what kind of drugs the person in question had used and information on previous treatment, all marked by name and social security number. The majority of the accompanying documents included information about how the person went (at that time) to treatment and detoxification, for example handwritten diary entries from the people themselves about how they were treated.
The data included, for example, [seven individuals under the age of 18, including information on criminal conduct]
Two randomized reports examined patients who had attempted suicide.
3.

Data obtained from S.Á.Á.

As a result of the investigation, the Data Protection Authority sent a letter to S.Á.Á., dated. September 20, 2019. There, with reference to points 1 and 5. Paragraph 1 Article 41 Act no. 90/2018, requested copies of the data that had been prepared on the processing of personal data processed by S.Á.Á. on m. procedures that may have been established or other documentation of information security, such as quality manuals, teaching or reference material for staff. Information was also requested as to whether S.A. had compiled a processing file in accordance with Article 26. Act no. 90/2018 or carry out an assessment of the impact on privacy according to Art. Article 29 same law.

Response was received from S.A.A in a letter, dated. October 2, 2019, where security was S.A. described, in addition to the requested data. Most of the work referred to will have taken place in the winter of 2018-2019, ie. before the security fails.

The data that S.Á.Á. sent Privacy are as follows:

Information Security Policy of May 22, 2019
Security rules from February 2019
Information Security Policy - Implementation of individual security elements
Procedures for handling e-mails and employees' online use
Rules of Procedure on the Treatment of Workers' Documents from July 9, 2019
SÁÁ's Privacy Policy of May 28, 2019
Treatment of personal data of patients SÁÁ, document of July 6, 2018
Handling of personal data of SÁÁ employees, document dated July 6, 2018
SÁÁ gender equality policy of 2018
SÁÁ staff policy from 2017
Employees and gender equality policy of 2018
SÁÁ outsourcing policy from February 2019
Information Technology Procedures from February 2019
Requirements for content of service agreements with ICT parties
Letter from the Security Committee from May 2019
Process file from January 22, 2019
Processing file for various processes from January 23, 2019
Security Failures - Deviation Registration
Risk Assessment for the SÁÁ Information System of August 16, 2019 (Documents on its premises, change history, threat definition and risk assessment results with suggestions for improvement)
Emergency plan for the operation of SÁÁ's information systems from May 2019
Two checklists for audits
Work contract with [X], date. October 12, 2018
Work contract with [Y], date. April 23, 2019
Work contract with [Z], date. February 21, 2019
4.

Site visit in Vík

[A visit to the site was held in Vík, Kjalarnes, August 16, 2019. The visit discussed the storage of data on the site, a computer system was investigated and questions were asked for staff, as well as the housing was followed by employees of S.Á.Á. and conditions examined. It was stated that the general rule was that paper data was not stored for long periods. There would be an enrollment book for 2018 but in fact there was no reason to keep such books anymore as all information was electronically recorded and everything had been electronically in operation from March 2018. It was also stated, among other things, that access control to rooms, access was restricted with individual employees and he registered. It was also stated that health records were stored in access-controlled systems and the role of users defined, as well as a service provider, hosting a 24-hour watch on the system. It was stated that the Security Group had the role of formulating processes and preparing documents, that a risk assessment was completed in May 2019 and that it was under review. Privacy policy would have been made available to staff and ethics made for employees of Sá.Y.]

Regarding the delivery of data to [A], it was stated that boxes with them had been placed in locked storage in Efstaleiti and retrieved in October 2018. The delivery had been decided by telephone. There would have been many boxes that [A] himself had packed in, along with more staff. Then it was stated that S.Y. had been informed of the security breach through Facebook, the organization had not been specifically notified of it.

5.

Site visit to Vog

[A visit to the Vog on November 22, 2019 was conducted to examine the preservation of medical records in paper form. Upon arrival, the main entrance was locked. The premises were accompanied by employees of S.A. and conditions examined. It was found that the use of paper data was declining and that they were not stored in offices except when they were in process and the offices were locked. This procedure was shown by opening the door to one office with a key and there was no visible data on patients. In other respects it should be noted that archives and archives were inspected. It was found that documents were stored in safe, fireproof spaces, including on m. special fireproof cabinets that were locked with a number lock. It was also revealed that electronic monitoring was used to ensure security and that security arrangements were in place for keys.]

6.

Privacy Policy Instructions

Following the aforementioned on-site visit, the Data Protection Authority considered that the security of the paper data at Vogi ​​was adequate. Then the agency considered the data that [A] had received from S.A. is no longer necessary for the purposes of the investigation. There were data from the Fjalladeildur AA's activities in Sogni, as well as data from the Association of Alcoholic Advisors who had been with [A], therefore delivered to the companies concerned on December 4, 2019. Then there were data from the activities of S.Á.Á. delivered to the organization on the same day as it was done in collaboration with the Data Protection Authority and the Office of the Medical Director of Health. Before, by letter of the day. On December 2, 2019, the Data Protection Authority directed instructions to S.Á.Á. because of the delivery.

It stated that the Data Protection Assessment needed that the data that was considered most sensitive should be preserved in such a way that it could be traced in patients' medical records that they had for some time been stored outside of the S.A. location. Paper data on each patient were preserved at S.Á.Á. in a folder highlighted to him and it was clear that a comment on the security breach could be entered there. With reference to the above, in addition to points 4 and 6, among others. Article 42 Act no. 90/2018, the Data Protection Authority stipulated that certain data should be preserved and identified separately, before being placed in the folders of individual patients at S.A. More specifically, it included the aforementioned treatment sheets and accompanying documents, handwritten sheets and notes containing patient information, printouts of e-mail communications and printed documents of 1991 with a description of particular patients.

In other respects, reference was made to the security of the information in question. In this context, rules on confidentiality were also emphasized, cf. Mon 17 Art. Act no. 34/2012 on healthcare professionals.

It was requested that the Data Protection Authority confirm that this order had been complied with no later than January 3, 2020. This confirmation was received by email on December 20, 2019. Stating that colored papers had been enclosed with the data specified by the Data Protection Authority with text saying that they had left the house because of the security breach. The same papers had also been attached to check-in books from the Vík treatment center, which also went out of the house, despite the fact that the Privacy Policy had not applied to them.

7.

Counter-notification procedure for possible imposition of fines

By letter, date. November 13, 2019, was S.Á.Á. given the opportunity to object to the possible imposition of an administrative fine on the organization as a result of the case. In the letter of Privacy, the views on which the determination of such fines were examined.

Reply received by letter, date. November 26, 2019. It is emphasized that [A] himself packed the documents in question and that he, as former chief of Vík, should have been clear about the contents of the boxes. Comments are also made to the assertion [A] that he received a portion of the data sent to him by a van and claims that he himself retrieved all of them. In addition, S.Á.Á. so that [A] chose to post a post about the security breach on Facebook, rather than immediately sending the data to the organization. It is also disputed that someone other than [A] marked the box containing the medical records.

It is stated that there have been unique cases that can be attributed to carelessness and that S.A. has done everything in the power of the organization to recover the data.

In addition to the above, the letter refers to the extensive reform work in the field of privacy that has been done within the association, as well as the fact that S.A. are public health organizations that donate self-sufficiency to public health services.

Individual items of Article 47 are reviewed. Act no. 90/2018, which addresses the considerations that should be considered when deciding whether to impose a fine and what its amount should be. Specifically, S.Y. for the following items:

Nature, scope and purpose of processing
- The organization refers to the fact that they are aware of a serious security breach that involved sensitive personal information of approx. 3,000 patients mentioned in check-in books, as well as very sensitive personal information about 252 people. However, the organization points out that there are also data that does not belong directly to S.A.

A subjective attitude
- The association refers to human error.

Measures to reduce the loss of registered persons
- The association refers to the fact that they have requested [A] to submit the data in question and have also reported the security breach to the Data Protection Authority.

Responsibility of the guarantor or processor with regard to technical and organizational measures
- The organization here refers to the fact that extensive reform work in the field of privacy has been carried out, as discussed in more detail below.

Previous violations
- The association refers to the fact that they have not previously been violated by privacy laws.

Extent of cooperation with the Data Protection Authority
- The organization refers to the fact that they have reported the security breach to Privacy without delay, submitted a security manual and will abide by the instructions that may be received from the Data Protection Authority.

Categories of personal information
- The organization refers to sensitive personal information.

In what way was the supervisory authority notified of the violation
- The association refers to the fact that they reported the security breach to the Data Protection Authority about 42 hours after it emerged.

Compliance with instructions for improvement
- The organization refers to the fact that no instructions from the Data Protection Authority had been made at the time the letter of opposition was written.

Other burdensome or mitigating factors
- The organization refers to a non-profit organization that works for the public good and contributes self-sufficiency to health services that are open to the public.

As mentioned earlier on Privacy Protection, S.Á.Á. stated that paper data had been waived for secure electronic solutions at Vík in stages since 2015. Electronic systems are recognized and serviced by certified service providers in accordance with service contracts and processing contracts. They are access controlled and monitored using them. Has been hired by an independent party to carry out an audit of SÁÁ's information systems and has submitted the results to the Office of the Director of Health on 9 May 2019.

It is also noted that access controls exist for housing, offices and archives, either […]. If the processing of personal data has been mapped and recorded in a processing file, in addition to a risk assessment of processing factors.

In addition, a security manual was published containing, among other things, the data submitted to the Data Protection Authority on October 2, 2019. Three privacy meetings were also held on the privacy of a data protection officer, ie. October 3, 2018 to provide general information on privacy and new legislation, August 28, 2019 to discuss updated procedures and October 9, 2010. to discuss the same issue.

It is stated that an Information Security Committee consisting of three employees of S.A. together with a privacy officer who plays an advisory role in the committee. Her tasks include maintaining records, regularly assessing risk according to risk assessment, keeping track of deviation registration, reviewing work procedures on a regular basis, supervising systems and housing access control, monitoring processors, monitoring records and checking records education for staff.

Covered with letter S.Y. were, among other things, the findings of the aforementioned party who reviewed the information system S.Á.Á. This is a confirmation that he emailed the Directorate of Health by email on May 9, 2019 that he considered the information security system S.A. satisfactory.

II.

Assumptions and conclusion

1.

Scope - Guarantee

Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and processing by methods other than automatic processing of personal data that is or should be part of a file.

Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.

Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.

A register also means a structured collection of personal information that is accessible according to certain criteria, whether it is centralized, distributed or divided according to use and location, cf. Item 5 Article 3 of the Act, cf. Item 6 Article 4 Regulation.

This case concerns the processing of personal information by a medical institution. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy. However, it should be noted that some of the data listed in Section 2 of Section I above fall outside the scope of the data in the case of manual processing without being or should be part of a file in the above sense. More specifically, here refers to a diary from the work of S.A. from 2015, guestbook from Sogni and meeting books of the Fjalladeild AA at Sogni, but the names of the attendees are not widely registered there and if they are mentioned it is usually only the first names. It should also be noted that photographs among the data may fall outside the scope, ie. if taken by analogy. However, this is only a small part of the data.

The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. also point 7. Article 4 Regulation. As used herein, S.A. medical institutions are responsible for the processing in question.

2.

Legality of processing

All processing of personal data must be subject to any of the provisions of Article 9. Act no. 90/2018, cf. Paragraph 1 Article 6 Regulation (EU) 2016/679. It may be mentioned that personal data may be processed if it is necessary to fulfill the legal obligation that rests with the responsible party, cf. Point 3 the provision of the Act, cf. point c of the provision. In addition, the processing of sensitive personal data must be compatible with any of the additional requirements of the first paragraph. Article 11 of the Act, cf. Paragraph 2 Article 9 Regulation. According to point 3 (b). Article 3 the law is health information, ie. personal information relating to the physical or mental health of a person, sensitive, cf. also paragraph 1 Article 9 Regulation. As is the case here, especially in point 8. Paragraph 1 Article 11 provided that the processing of sensitive personal data is permissible if it is necessary to prevent disease or occupational disease, to assess the workability of an employee, diagnose illness and provide care or treatment in the field of health or social services, and for which there is a special law; provided that it is performed by an employee of such a service that is bound by confidentiality, cf. also paragraph 1 (h) Article 9 Regulation. In this context it may be mentioned that in accordance with Article 4 Act no. 55/2009 on medical records, a healthcare professional who receives a patient for treatment must keep a medical record, and in addition the law stipulates, among other things, the security of medical records, cf. Article 8 the Act, and access to it, cf. IV. section of the Act.

In addition to the authorization according to the above, the processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, cf. Paragraph 1 Article 5 Regulation (EU) 2016/679. It provides, inter alia, for personal data to be processed in a legitimate, fair and transparent manner towards the data subject; that they are derived for clearly stated, legitimate and objective purposes and not further processed for other and incompatible purposes; that they should be preserved in such a way that it is not possible to identify registered persons for longer than is necessary for the purpose of processing; and that they should be processed in such a way as to ensure the proper security of personal information.

According to Art. Act no. 90/2018, cf. Article 24 Regulation (EU) 2016/679, the guarantor shall take appropriate technical and organizational measures that take into account the nature, scope, context and purpose of the processing and the risks to the rights and freedoms of registered persons to ensure and demonstrate that the processing of personal data complies with the regulatory requirements. Appears in Article 24. of the Act, cf. Article 25 Regulation, that these measures should ensure that privacy is built-in and default. The second paragraph of Art. Article 24 of the Regulation, where it is in proportion to the average proportionality of the processing activities, the measures shall include, inter alia, the guarantor's implementation of appropriate privacy policies. Regarding the measures that need to be taken for the processing of personal data, it must be considered that they must, among other things, ensure that it is of course possible that personal data will not be made available to unauthorized parties and thus an unlimited number of people, cf. Paragraph 2 Article 25 Regulation.

The above rules of Act no. 90/2018 and Regulation (EU) 2016/679 are highlighted in the first paragraph. Article 27 the Act, which states that the controller and processor must take appropriate technical and organizational measures to ensure the adequate security of personal information, taking into account the latest technology, cost, implementation, nature, scope, context and purpose of the processing and the risks, misconduct and misconduct, the freedom of individuals in accordance with further instructions of Art. of the Regulation, but that article will be considered its main provisions on information security. Says in the second paragraph. the article states that when assessing whether the appropriate security is present, particular attention should be paid to the risks involved in the processing, including with regard to how personal information is transmitted, stored or otherwise processed, the risk of being lost, changed , will be published or granted access to them unauthorized.

From the evidence of the case it is clear that information on the medical history of patients at S.Á.Á. were made available to the former employee of the association, who received data from S.Á.Á. after he left there. The fact that he himself was involved in unwrapping them cannot justify the lack of technical and organizational measures that would have prevented such delivery and had to be present at S.A.A., as the responsible for the processing , because of the processing of such sensitive personal information in question.

In light of the cases and the requirements laid down in Act no. 90/2018 and Regulation (EU) 2016/679 make it safer for the processing of sensitive personal information, it is the Privacy Statement that S.Á.Á. has not sufficiently ensured that sensitive personal information on alcohol and drug abuse treatment by thousands of individuals would not be available to unauthorized persons. Although significant work has been done to bring security issues to an acceptable level, the appropriate security of the information in question was therefore not guaranteed as required by paragraph 6. Paragraph 1 Articles 8, 23, 24 and 27 Act no. 90/2018, cf. paragraph 1 (f) Articles 5, 24, 25 and 32 Regulation (EU) 2016/679. Therefore, the conclusion of the Data Protection Authority is that the processing of S.Á.Á. the personal data of patients has violated the above provisions of the Act and the Regulation.

3.

The point of view of the application of penalties

Given the above, it is therefore considered whether S.A. administrative fines for this, cf. Article 46 Act no. 90/2018, cf. Article 83 Regulation (EU) 2016/679. In deciding this and the amount of the fine, paragraph 1 shall be considered. Article 47 Act no. 90/2018, cf. Paragraph 2 Article 83 Regulation. These include items which may either be of interest to the beneficiary or to his detriment. The following issues are considered in this case:

a. Nature, scope and purpose of processing

According to point 1. Paragraph 1 Article 47 Act no. 90/2018 ,cf. paragraph 2 (a) Article 83 of Regulation (EU) 2016/679, should consider the nature, severity and duration of violations, with regard to the nature, scope and purpose of processing, as well as the number of registered individuals who suffered and the serious damage they suffered. It is clear that this was the processing of sensitive personal data, over a long period, that affected over 3,000 patients at S.A., but also provided information about their relatives. Were here, among other things, medical records, including on m. patient check-in books, but also much more detailed data, such as therapists' notes from interviews with patients, which include items related to health and criminal behavior. In particular, there are so-called treatment sheets, as well as supporting documents, which protected 252 individuals.In addition, detailed information was provided about several other individuals, such as email communications about them and documents with descriptions of them.

The purpose of the process is to provide people with alcohol and drug problems with health care. It must therefore make extremely stringent requirements for safety. It is clear that adequate measures were not taken to ensure that medical records were not released when a former employee of S.A. were provided with data containing sensitive personal information and stored by the organization.

b. A subjective attitude

According to paragraph 2. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (b) Article 83 of Regulation (EU) 2016/679, should consider whether a violation was committed intentionally or negligently. There is nothing other than the fact that human error has occurred here and nothing has been stated in the case which indicates that this is a deliberate violation.

c. Measures to reduce the loss of registered persons

According to paragraph 3. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (c) Article 83 Regulation (EU) 2016/679, should take into account the measures taken to reduce the loss of registered persons. In this context, it is important to S.A. immediately contacted the said former employee of the organization when informed of the security breach, and requested that the data be returned. The security breach was also reported to the Data Protection Authority.

d. Responsibility of the guarantor or processor with regard to technical and organizational measures

According to paragraph 4. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (d) Article 83 Regulation (EU) 2016/679, should take into account the level of responsibility of the guarantor or processor with regard to the technical and organizational measures they have implemented. This is explained in more detail in Article 32. of the Regulation, in the light of the latest technologies, costs of operation and nature, scope, coherence and purpose of processing and risks, improper and irreversible, for the rights and freedoms of individuals, the guarantor shall take appropriate technical and organizational measures to ensure appropriate safeguards. at risk. Therefore, in the light of the process in question, there should have been organizational measures which would have prevented the transmission of the data concerned and thus a security breach.It is clear that despite a lot of work that had been done on security issues at S.Á.Á. no such measures were in place at the time of delivery. However, it should be noted that on July 9, 2019, ie. shortly before S.Á.Á. became aware of the security breach, the organization had established working rules on the treatment of workers on work documents. Appears in the second paragraph. Article 4 the rule that an employee should be given the opportunity to review work space and compile their private documents and other belongings before leaving his place of business. Also states, among other things, that he is totally not allowed to bring work documents with him, in addition to that mentioned in the third paragraph. The article states that a supervisor may be present when an employee completes his or her private documents upon retirement, as he respects the employee's privacy rights.no such measures were in place at the time of delivery. However, it should be noted that on July 9, 2019, ie. shortly before S.Á.Á. became aware of the security breach, the organization had established working rules on the treatment of workers on work documents. Appears in the second paragraph. Article 4 the rule that an employee should be given the opportunity to review work space and compile their private documents and other belongings before leaving his place of business. Also states, among other things, that he is totally not allowed to bring work documents with him, in addition to that mentioned in the third paragraph. The article states that a supervisor may be present when an employee completes his or her private documents upon retirement, as he respects the employee's privacy rights.no such measures were in place at the time of delivery. However, it should be noted that on July 9, 2019, ie. shortly before S.Á.Á. became aware of the security breach, the organization had established working rules on the treatment of workers on work documents. Appears in the second paragraph. Article 4 the rule that an employee should be given the opportunity to review work space and compile their private documents and other belongings before leaving his place of business. Also states, among other things, that he is totally not allowed to bring work documents with him, in addition to that mentioned in the third paragraph. The article states that a supervisor may be present when an employee completes his or her private documents upon retirement, as he respects the employee's privacy rights.the organization had established a working procedure for the treatment of workers on work documents. Appears in the second paragraph. Article 4 the rule that an employee should be given the opportunity to review work space and compile their private documents and other belongings before leaving his place of business. Also states, among other things, that he is totally not allowed to bring work documents with him, in addition to that mentioned in the third paragraph. The article states that a supervisor may be present when an employee completes his or her private documents upon retirement, as he respects the employee's privacy rights.the organization had established a working procedure for the treatment of workers on work documents. Appears in the second paragraph. Article 4 the rule that an employee should be given the opportunity to review work space and compile their private documents and other belongings before leaving his place of business. Also states, among other things, that he is totally not allowed to bring work documents with him, in addition to that mentioned in par. the article states that a supervisor may be present when an employee completes his or her private documents upon retirement, as he respects the employee's privacy rights.in addition to what is stated in paragraph 3. The article states that a supervisor may be present when an employee completes his or her private documents upon retirement, as he respects the employee's privacy rights.in addition to what is stated in paragraph 3. The article states that a supervisor may be present when an employee completes his or her private documents upon retirement, as he respects the employee's privacy rights.

e. Previous violations

According to point 5. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (e) Article 83 Regulation (EU) 2016/679, if relevant, must be considered by previous offenders or relevant processors. It is not available for S.Y. have previously been found guilty of a violation of privacy legislation.

However, since its inception, the Data Protection Authority has received two other notices of security breach from S.A., dated. October 23, 2019 (Case No. [...]) and January 29, 2020 (Case No. [...]). These security flaws did not consider the nature of special measures to be taken by the Data Protection Authority and were considered by S.A. satisfactory.

f. Extent of cooperation with the Data Protection Authority

According to paragraph 6. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (f) Article 83 Regulation (EU) 2016/679, should consider the extent of cooperation with the Data Protection Authority to rectify violations and mitigate their harmful effects. It is clear that S.Y. has complied with the requirements and instructions of the Data Protection Authority following the announcement of the security breach, as well as the Agency has had good access to the premises and staff of SÁ.Á. during the processing of the case.

g. Categories of personal information

According to point 7. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (g) Article 83 of Regulation (EU) 2016/679, it is necessary to consider what categories of personal data breaches affected. This includes medical records, including on m. patient check-in books and therapist notes from interviews with patients, which include items related to health and criminal behavior. It is therefore a sensitive personal information within the meaning of item 3. Article 3 Act no. 90/2018, in addition to information covered by Article 12. the same law as for criminal conduct.

h. In what way was the supervisory authority notified of the violation

According to paragraph 8. Paragraph 1 Article 47 Act no. 90/2018, cf. Paragraph 2 (h) Article 83 Regulation (EU) 2016/679, should consider the manner in which the supervisory authority was notified of a violation. It is available that S.Y. reported the security breach shortly after his arrival. Furthermore, the organization has responded well to the Privacy Policy's requests for clarification and information within the time limits provided.

i. Compliance with instructions for improvement

According to paragraph 9. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (i) Article 83 of Regulation (EU) 2016/679, compliance with the Data Protection Directive on remedial measures based on Article 42 should be considered. Act. Letter privacy by letter, date. December 2, 2019, instructions to S.Á.Á. due to the delivery of data to the association. Confirmation that they had been received within the time allowed. Also, S.Á.Á. on its own initiative, submitted data on modified and high-quality procedures for the processing of personal data.

j. Other burdensome or mitigating factors

According to paragraph 11. Paragraph 1 Article 47 Act no. 90/2018, cf. paragraph 2 (k) Article 83 Regulation (EU) 2016/679, should consider other burdensome or mitigating factors than those mentioned earlier in the provision, such as profits or losses that were directly or indirectly avoided due to a violation.

In that regard, it is to look at S.Y. has undertaken extensive work within the organization, in collaboration with privacy experts, in order to update procedures, in a documented manner, in connection with the processing of personal information within the organization. This work was started before the security breach occurred.

4.

Conclusion on penalties

As discussed in Section II.2. on the legitimacy of processing it is available that processing S.Á.Á. broke against item 6. Paragraph 1 Articles 8, 23, 24 and 27 Act no. 90/2018, cf. paragraph 1 (f) Articles 5, 24, 25 and 32 Regulation (EU) 2016/679. Article 46 Act no. 90/2018, cf. Article 83 of the Regulation, that a violation of paragraph 1 (f) Article 5 and Article 32. the regulation may involve administrative fines.

In view of the foregoing considerations on the imposition of penalties and in the case of public health organizations, non-financial causes and the provision of self-funds for public health services, administrative fines are deemed to be appropriately set at 3,000,000 crowns. 


In response:

Processing S.Á.Á. medical institutions, Efstaleiti 7, Reykjavik, on personal information about patients at the Vík medical institution violated Paragraph 6 of Art. Paragraph 1 Articles 8, 23, 24 and 27 Act no. 90/2018, cf. paragraph 1 (f) Articles 5, 24, 25 and 32 Regulation (EU) 2016/679.

A fine of ISK 3,000,000 is imposed on S.Á.Á. hospitals. The penalty shall be paid to the State Treasury within two months from the date of the decision.