Persónuvernd - 2020051606

From GDPRhub
Persónuvernd - 2020051606
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Decided: 12.03.2021
Published: 24.03.2021
Fine: None
Parties: Akureyri Hospital
National Case Number/Name: 2020051606
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Pesonunvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA reprimanded a hospital for sending medical data of a complainant and her child to the wrong address.

English Summary[edit | edit source]

Facts[edit | edit source]

On 11 May 2020 the DPA received a complaint from a woman whose hers and her child's medical records, which she had requested from the Akureyri Hospital, had been sent to the wrong address. Although she had specifically requested that the documents be sent to her, the letter had been sent to the address of her child, who is domiciled with her father.

The data was sent by registered mail and returned to the Hospital in Akureyri unopened. At the hospital, they had been placed in another envelope and sent by registered mail to the complainant.

Holding[edit | edit source]

The DPA held that, in view of the sensitive nature of the data in question, it was highly reprehensible that the Hospital in Akureyri did not ensure that the data was sent to the correct address. The procedures did not ensure adequate security of personal information according to Act no. 90/2018 on personal protection and the processing of personal information.

In view of the above, the conclusion of the DPA is that the processing of the personal information of the complainant by the Hospital in Akureyri in the transmission of the complainant's and her child's medical records did not comply with Act no. 90/2018 on personal protection and processing of personal information.

The DPA found no preconditions for imposing a fine.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Processing of the Hospital in Akureyri during the distribution of medical reports
Case no. 2020051606
24.3.2021
The Data Protection Authority has ruled in a case where it was complained that the medical records of the complainant and her child had been sent to the child's legal domicile and not to herself from the Hospital in Akureyri (SAK). The hospital admitted that no care had been taken to ensure that the addresses were different and that the data was therefore sent to the child's legal domicile. On the other hand, the data had been sent by registered mail and returned to SAK unopened, and therefore the data had not reached unauthorized persons. The documents were then sent by registered mail to the complainant. The Data Protection Authority considered that in light of the sensitive nature of the data in question, it was highly reprehensible that SAK did not ensure that the data was sent to the correct address. Did not change the fact that the data was sent by registered mail and returned by the guarantor unopened. The processing was not considered to have complied with Act no. 90/2018, on personal protection and processing of personal information.

Ruling
On March 12, 2021, the Data Protection Authority issued a ruling in case no. 2020051606:

I.
Procedure

1.
Outline of case
On 11 May 2020, the Data Protection Authority received a complaint from [A] (hereinafter referred to as the complainant) that her and her [child]'s medical records, which she had requested from the Akureyri Hospital, had been sent to the wrong address.

By letter dated On 5 October 2020, repeated on 6 November 2020, the Hospital in Akureyri was invited to submit explanations regarding the complaint. The answer was by letter dated. 23 November 2020. The Data Protection Authority requested further information from the complainant in a telephone call on 12 February 2021. By e-mail on 12 February 2021, the Data Protection Authority requested further information from the Hospital in Akureyri. The answer was by e-mail on the 19th cm

In resolving the case, all of the above documents have been taken into account, although not all of them are specifically described in the following ruling.

2.
The complainant's views
The complainant has stated that she requested a copy of her medical record and [her child]. When the data was not received, she contacted the Hospital in Akureyri. She had been informed that although she had specifically requested that the documents be sent to her, the letter had been sent to the address of [her] child, who is domiciled with her father. After the letter was sent back to the hospital, she received the data by registered mail. The letter had been posted through a letterbox in her home but not delivered to her. In a telephone conversation between the Data Protection Authority and the complainant, it was stated that [the child]'s mother and father have joint custody, but [its] legal domicile is with the father.

3.
The point of view of the Hospital in Akureyri
The Akureyri Hospital has stated that when the complainant's and her child's medical records were sent out, it was not ensured that they were different addresses and therefore both her and her child's medical records were sent to the child's legal domicile. The data was sent by registered mail and returned to the Hospital in Akureyri unopened. At the hospital, they had been placed in another envelope and sent by registered mail to the complainant. There was no reason to report a security breach. Medical records were sent according to procedure and no data was received by unauthorized persons. The hospital's responses also refer to procedures for the delivery of medical records and that they have been revised to prevent a similar incident from recurring.

II.
Assumptions and conclusion

1.
Scope - Responsible party - Defining a case
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

This case concerns the treatment of the medical records of the complainant and her [child] by the Hospital in Akureyri. In this respect and in the light of the above provisions, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.

As in this case, the Hospital in Akureyri is considered to be responsible for the processing in question, cf. 6. tölul. Article 3 Act no. 90/2018, Coll. 7. tölul. Article 4 of the Regulation.

In view of the powers of the Data Protection Authority, this ruling does not cover the manner in which a letter of guarantee was issued to the complainant and that aspect of the complaint is dismissed.

2.
Conclusion
All processing of personal data must meet all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in such a way as to ensure the appropriate security of the personal information (point 6).

The responsible party must ensure that the security of personal information, cf. 6. tölul. Paragraph 1 Article 8 Act no. 90/2018. The security of personal information means, among other things, that personal information is kept secret from unauthorized persons, but that it is also accessible to those who need it. Further provisions concerning the security of personal data can be found in Articles 23, 24 and 27. Act no. 90/2018, according to which the responsible party shall take appropriate technical and organizational security measures to protect personal information that takes into account the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of registered individuals, cf. further instructions in Article 32 of the Regulation. According to para. Article 32 of the Regulation, when assessing adequate safety, particular account shall be taken of the risks involved in the processing;

As previously stated, Sjúkrahúsið á Akureyri has admitted that the medical records of the complainant and her [child] were sent to the wrong address. The hospital in Akureyri has pointed out that its procedures state that medical secretaries process documents securely in closed packaging, marked with those who are authorized to receive them. An office worker will take care of the delivery or send the data by registered mail. It will not be seen that the rules of procedure emphasize that it must be ensured that the registration of the address on the letter of guarantee when it is sent is in accordance with the request for data and the legal domicile registration of the person requesting the data.

In view of the sensitive nature of the data in question, the Data Protection Authority considers it highly reprehensible that the Hospital in Akureyri did not ensure that the data was sent to the correct address. Does not change the fact that the data was sent by registered mail and returned by the guarantor unopened. The procedures and procedures of the Agency did not meet the security requirements made of the responsible party to ensure adequate security of personal information according to Act no. 90/2018 on personal protection and the processing of personal information. With reference to para. Article 8, Articles 23, 24 and the first paragraph. Article 27 Act no. 90/2018 and Article 32. of the Regulation, the Data Protection Authority emphasizes the importance of the responsible party ensuring the security of the sensitive personal information that the hospital's employees work with.

In view of the above, the conclusion of the Data Protection Authority is that the processing of the personal information of [A] by the Hospital in Akureyri in the transmission of the complainant's and [child]'s medical records did not comply with Act no. 90/2018, on personal protection and processing of personal information.

As this case has grown, the conclusion of the Data Protection Authority is that there are no preconditions for the application of a fine authority, cf. Article 46 Act no. 90/2018.

Ú r s k u r ð a r o r ð:
The processing of the personal information of [A] by the Hospital in Akureyri in the transmission of her medical records and [her] child did not comply with Act no. 90/2018, on personal protection and processing of personal information.


In Privacy, March 12, 2021


Helga Þórisdóttir Vigdís Eva Líndal