Persónuvernd - 2020010616

From GDPRhub
Persónuvernd - 2020010616
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(c) GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Article 9(2)(f) GDPR
Act 90/2018 on Data Protection and the Processing of Personal Data
Type: Complaint
Outcome: Rejected
Decided: 25.06.2020
Published: 13.07.2020
Fine: None
Parties: n/a
National Case Number/Name: 2020010616
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA (Persónuvernd) rejected a complaint where an individual argued that their medical records were unlawfully processed in a dispute over the settlement of benefits.

English Summary[edit | edit source]

Facts[edit | edit source]

A company obtained medical information about the complainant from a health centre, and used it to prepare a report which was then submitted to the Icelandic Insurance Appellate Committee, who were dealing with a compensation claim involving the complainant.

Dispute[edit | edit source]

Was the company's acquisition and use of the complainant's personal data compliant with the processing principles under Article 5 GDPR? Did an exception to the prohibition of processing of health data under Article 9(2) GDPR apply?

Holding[edit | edit source]

The Icelandic DPA held that the processing was compliant with Article 5, noting in particular that the amount of data processed was "not in excess of what was necessary". The Icelandic DPA also held that the company could process the data lawfully because an Article 9(2) exception applied, namely Article 9(2)(f), where processing is necessary for the exercise or defence of a legal claim. However, they rejected the company's contention that the exception of explicit consent (Article 9(2)(a)) could be relied on in this case, because of the "clear difference in situation" between the controller (company) and processor (complainant). In particular, the DPA considered that consent here could not be granted voluntarily, because the compensation settlement was conditional on the complainant granting the company access to their health data.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Processing of Sjóvár-Almennar tryggingar hf. on information from an individual's medical record
Case no. 2020010616

07/13/2020

The Data Protection Authority has ruled in a case where a complaint was made about the processing of Sjóvár-Almennar tryggingar hf. with information on the health of an individual from his medical record in connection with a dispute over the settlement of benefits. It was concluded that the company's processing which involved obtaining the information in question and using it in writing a report to the Insurance Appellate Committee had been based on point 6. Article 9 Act no. 90/2018 but that the dissemination of the information to the committee had relied on point 3. the same articles and under the conditions of point 6. Paragraph 1 Article 11 the same law had been complied with for all the processing operations. Furthermore, the Data Protection Authority considered that the basic requirements of the first paragraph had been met. Article 8 the same law during processing. The conclusion of the Data Protection Authority was therefore that the processing had complied with Act no. 90/2018.
ruling


On June 25, 2020, the Data Protection Authority issued a ruling in case no. 2020010616 (formerly 2019040870):

I.
procedures

1.
Complaint and procedure

On April 10, 2019, the Data Protection Authority received a complaint from [A] (hereinafter referred to as the complainant) regarding the processing of his personal information by Sjóvár-Almennar tryggingar hf. More specifically, it was complained that Sjóvá-Almennar tryggingar hf. had obtained information on the complainant's health from [the health center] and on the use of the information in the preparation of a report, which the company submitted to the Insurance Appellate Committee, due to the complainant's appeal to the committee. The complaint was accompanied by a total of 13 accompanying documents which shed light on an incident related to an accident that the complainant had suffered and his claim for compensation from his employer's employee insurance with Sjóvá-Almennar tryggingar hf.

By letter dated 5 September 2019, Sjóvá-Almennar tryggingar hf. notified of the above complaint and given an opportunity to comment on it. The company responded by letter dated. September 24 By letter dated On 24 October this year, the complainant was presented with a reply letter from Sjóvár-Almennar tryggingar hf. and given the opportunity to comment on its content. The complainant replied by letter dated November 13

In resolving the case, all of the above documents have been included, although not all of them are specifically described in the following ruling.

2.
The complainant's views

The complainant relies on the fact that he has applied to the Insurance Appeals Committee for the refusal of Sjóvár-Almennar tryggingar hf. is to be paid compensation for an accident at work he suffered [in 2014].

Following the lawsuit, Sjóvá-Almennar tryggingar hf. obtained health information about the complainant from [the health center] in connection with the writing of the company's report to the Appellate Committee. The complainant considers that the information contained therein, which is dated two years after the accident, has been interpreted as the cause of the accident by the company, but he considers that information recorded after the accident should rather be regarded as information about its consequences.

3.

The views of Sjóvár-Almennar tryggingar hf.

On behalf of Sjóvár-Almennar tryggingar hf. is based on the fact that the company has refused liability for the complainant's accident at work for the reason that the statutory notification deadline according to para. Article 124 Act no. 30/2004 on insurance contracts has expired. In an appeal to the Insurance Appellate Committee, the complainant claimed that certain injuries and symptoms could be traced to the accident and that he did not know the nature of the injuries until [in 2018]. The complainant had supported his appeal with two medical certificates, but until then the company had not had any medical evidence about the complainant. The provisions of Act no. 30/2004 has been clarified so that the beginning of the notice period must be counted from the time when the injured party became aware that the accident had permanent consequences. Therefore, such a conclusion usually needs to be based on medical evidence.

The company therefore considered it necessary to obtain further information about the complainant's health to confirm whether he had been injured in the accident, whether his symptoms could be traced to the accident or were related to his previous health and at what point he had verifiably been aware of its alleged consequences. . The collection of the information in question by the company was therefore necessary for the Insurance Appellate Committee to be able to base its conclusion on the facts of the case and the presentation of the information was normal in view of the fact that there was a dispute that could later go to court. Therefore, all views that supported the company's conclusion on the rejection of liability have been put forward.

On the part of the company, it is also based on the fact that the acquisition of a copy of the complainant's medical record was based on his own clear and written consent, in accordance with point 1. Article 9 and point 1. Paragraph 1 Article 11 Act no. 90/2018, on personal protection and the processing of personal information, which he has twice provided, cf. the complainant's statements to that effect, dated 31 August 2018 and 11 March 2019. The processing of information from people's medical records may be necessary for insurance companies for the purpose of fully informing cases and determining the right to compensation. The company therefore believes that data on the complainant was obtained for clear, legitimate and objective purposes and that no further action was taken than was necessary in obtaining the information. Thus, the company's request to the health service for the delivery of data was limited to medical records for a certain period, ie. regarding the complainant's health before and after his accident, in addition to which only the information was obtained from the complainant's medical record which the company considered necessary due to the company's response to the Appellate Committee. It was decided to request a copy of part of the complainant's medical record rather than a medical certificate as it provides fuller and better information, in addition to which it could have been obtained at short notice and at low cost. However, the information was not obtained until it became necessary to defend a legal claim.

It is also based on the fact that the dissemination of information from the complainant's medical record to the Appellate Committee in Insurance Matters was based on points 3 and 6. Article 9 and point 6. Paragraph 1 Article 11 Act no. 90/2018. The medical record had been reviewed by one employee of Sjóvár-Almennar tryggingar hf., Who had access rights to it. During that review, it became clear that various issues in the medical record were not relevant to the resolution of the case. It had therefore been decided that instead of sending the medical record to the Appellate Committee in Insurance Matters, only those items from the medical record that were considered to be of direct significance would be explained in the company's reply to the committee. The committee had been informed that this method would be followed and that it would be granted access to the medical record if it deemed it necessary. This was not the case.

II.
Assumptions and conclusion

1.
Delimitation of a case

The complaint under discussion in this case concerns, on the one hand, that Sjóvá-Almennar tryggingar hf. had obtained information about the complainant's health from the medical record [health centers] as well as the use of the information in the preparation of a report, which the company submitted to the Appellate Committee in Insurance Matters, due to the complainant's appeal to the committee. The complainant comments, among other things, on the fact that the company had obtained information about his health that arose two years after his accident.

On the other hand, the complaint will lead the complainant to comment on the presentation of the information in the report and the substantive conclusions that Sjóvá-Almennar tryggingar hf. withdrew from the information the company worked with.

With regard to the powers of the Data Protection Authority, cf. discussion in the next section, this ruling is limited to the processing of the complainant's personal information by Sjóvár-Almennar tryggingar hf. in connection with the aforementioned litigation with the Insurance Appellate Committee. However, the ruling does not cover the presentation of the information or the substantive conclusions drawn from it by the company or the ruling committee.

2.
Scope - Responsible

Scope of Act no. 90/2018, on personal data protection and processing, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automated and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 Regulation.

Processing refers to an action or series of actions where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 Regulation.

This case concerns the acquisition of Sjóvár-Almennar tryggingar hf. on the complainant's personal information from his medical record at [health center] and the use of the information in connection with the writing of a report submitted to the Insurance Appellate Committee regarding the complainant's appeal to the committee in connection with an accident he suffered. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 Regulation. As such, Sjóvá-Almennar tryggingar hf. be responsible for the processing in question.

3.
Legality of processing and conclusion

All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018. It may be mentioned that personal data may be processed if the data subject has given his or her unequivocal consent to the processing for the benefit of one or more specific purposes, cf. 1. tölul. of that Article, if the processing is necessary due to a legal obligation that rests with the responsible party, cf. 3. tölul. of that article, or if it is necessary due to legitimate interests that the responsible party safeguards, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, cf. 6. tölul. of that article.

In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph. Article 11 Act no. 90/2018. According to point b of point 3. Article 3 of the Act, health information is considered sensitive, but from a complaint it can be concluded that information on the complainant's health was obtained from his medical record. As is the case here, point 6 comes into consideration in particular. Paragraph 1 Article 11, to the effect that the processing of sensitive personal data is permitted if it is necessary in order to be able to establish, maintain or defend legal claims.

In addition to the cited provisions of Act no. 90/2018, also to consider provisions in other laws that apply at any given time.

Medical records are governed by Act no. 55/2009, Coll. Paragraph 2 Article 1 of them, but Act no. 90/2018 also apply to such registers to the extent that they are not prescribed otherwise in the aforementioned Act, cf. Paragraph 3 Article 1 them. According to Art. Act no. 55/2009, access to medical records is not permitted unless it is authorized by law in accordance with the provisions of the Act or other laws.

According to the first paragraph. Article 47 Act no. 30/2004 on insurance contracts, the insured must provide the insurance company with information and the data that he has in his possession and the company needs to assess its liability and pay compensation. The Minister of Commerce has also published advertisement no. 1090/2005 on Articles of Association for the Appellate Committee in Insurance Matters, based on the third paragraph. Article 141 the same law. According to para. Article 6 of the Articles of Association, the insurance company shall provide the committee with the documents and documents relating to matters submitted to the committee. Then it says in the 3rd paragraph. the same provision that an insurance company shall be given the opportunity to submit documents and views to the committee before a case is resolved.

On behalf of Sjóvár-Almennar tryggingar hf. is based on the fact that the collection of information on the complainant's health in connection with the decision on compensation for him was based on his consent in this regard, cf. 1. tölul. Article 9 and point 1. Paragraph 1 Article 11 Act no. 90/2018.

According to point 8. Article 3 of the Act, the consent is an unforced, specific, informed and unequivocal declaration of intent by the data subject that he consents, by declaration or unequivocal confirmation, to the processing of personal data about himself. Paragraph 43 of the preamble to Regulation (EU) 2016/679 states that consent should not be considered a valid legal basis for the processing of personal data when there is a clear difference in the situation between the data subject and the responsible party. It also states that consent is not considered to be granted voluntarily if the implementation of the agreement, including the provision of services, is covered by the agreement, even though the consent is not necessary for the implementation of the agreement. In addition to this, the guidelines of the European Privacy Protection Council, no. 05/2020, which were granted on the basis of item e of the first paragraph. Article 70 of Regulation (EU) 2016/679, that the unconditional consent entails a requirement that the data subjects have a real right of decision. Therefore, it is not possible to proceed in such a way that the data subject feels compelled to give consent or considers that it has negative consequences not to give consent for processing.

With reference to all of the above, the Data Protection Authority considers that it must be assumed that the compensation settlement was conditional on the complainant granting Sjóvá-Almennar tryggingar hf. information, including regarding their health. Taking this into account, the Data Protection Authority considers that there was such a difference between the company's facilities on the one hand and the complainant's on the other, with the complainant's consent, dated. 31 August 2018 and 11 March 2019, regarding the company's authorization to obtain information from the complainant's medical register in connection with the determination of compensation, could not have been considered unenforceable within the meaning of point 8. Article 3 Act no. 90/2018. As a result, the processing of Sjóvár-Almennar tryggingar hf. obtaining information about the complainant's health from his medical record at [health center] could not be based on point 1. Article 9 and point 1. Paragraph 1 Article 11 Act no. 90/2018.

However, point 52 of the preamble to Regulation (EU) 2016/679 states that sensitive personal data may be processed when necessary to establish, uphold or defend legal claims, whether in court or in administrative proceedings or out-of-court proceedings.

The Appellate Committee in Insurance Matters is tasked with ruling on disputes that fall under Act no. 30/2004, Coll. Paragraph 1 Article 141 them. The Committee's rulings are not binding. With reference to Article 141 Act no. 30/2004 and comments on that provision in the bill to the Act, it will not be considered that the Appellate Committee has administrative authority. In view of this, it is the opinion of the Data Protection Authority that this is an out-of-court procedure which is intended to decide on legal claims within the meaning of point 6. Paragraph 1 Article 11 Act no. 90/2018, Coll. Point 52 of the foreword to Regulation (EU) 2016/679.

In view of all the above, the Data Protection Authority considers that the acquisition of Sjóvár-Almennar tryggingar hf. on information about the complainant's health from his medical record from [health center] and their use in writing the report was based on point 6. Article 9 Act no. 90/2018 but that the dissemination of the information to the Appellate Committee in Insurance Matters was based on point 3. the same articles, cf. Paragraph 2 Article 6 Articles of Association of the Insurance Appellate Committee. The Data Protection Authority also considers that, as in this case, the conditions of point 6 Paragraph 1 Article 11 Act no. 90/2018 have been fulfilled due to all the processing measures that are being discussed in this case.

In addition to the authorization according to the above, the processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (paragraph 3); and that they shall be reliable and up-to-date as necessary, but that personal data which are unreliable or incomplete for the purpose of their processing shall be deleted or corrected without delay (paragraph 4).

Despite the fact that the complainant's statements about the company's authorization to obtain information about his health could not be considered consent within the meaning of Act no. 90/2018, Coll. from the above, it must be assumed that they have in fact informed the complainant that Sjóvá-Almennar tryggingar hf. may obtain information about his health in connection with his claim for compensation from the company. The case file also shows that Sjóvá-Almennar tryggingar hf. had obtained personal information about the complainant's health in order to protect his interests in the operation of a case which the complainant referred to the Appellate Committee in Insurance Matters. In the opinion of the Data Protection Authority, it can only be seen that the personal information was sufficient and not in excess of what was necessary for that purpose. Finally, it can only be concluded that the company has obtained information on the complainant's health from the medical record in order to ensure that reliable information forms the basis for writing the company's report to the Insurance Appeals Committee. In view of the above factors, it is the conclusion of the Data Protection Authority that the processing of personal information under discussion here has complied with the basic requirements of the first paragraph. Article 8 Act no. 90/2018.

U r s k u r ð a r o r ð:

Processing of Sjóvár-Almennar tryggingar hf. on personal information about [A] complied with Act no. 90/2018, on personal protection and processing of personal information.

In Privacy, June 25, 2020

Helga Þórisdóttir Helga Sigríður Þórhallsdóttir