Personvernnemnda - PVN-2023-06

From GDPRhub
Personvernnemnda - PVN-2023-06
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 16 GDPR
Decided: 10.10.2023
Published:
Parties:
National Case Number/Name: PVN-2023-06
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Norwegian
Original Source: PVN-2023-06 (in Norwegian)
Initial Contributor: sh

The Norweigan Data Protection Appeals Board upheld the DPA's decision. A data subject's right to rectification of patient records was fulfilled even though not all the data was changed according to the data subject's request.

English Summary

Facts

In June 2019, A had sent a request to Hospital X containing 18 points in which she wanted her son's medical records to be amended or supplemented. In a letter to A dated July 8, 2019, the hospital complied with two of these points. The other requests for correction/supplementation were rejected. The County Governor also approved the hospitals decision.

In November 2019, A complained to the Data Protection Authority. The complaint was extensive and concerned several different data controllers. This case concerns a claim for rectification of medical records at Hospital X. On April 26, 2021, the Data Protection Authority asked Hospital X to provide an account of the case processing at the hospital and the assessments that had been made in relation to the complainant's deletion and rectification claims. Hospital X provided an account in a letter dated May 21, 2021. On July 15, 2022, the Data Protection Authority concluded that Hospital X had fulfilled its obligation to rectify/supplement and closed the case.

On August 21, 2022, A filed another complaint against the DPA's decision. The DPA considered the complaint, but found no grounds to change its decision. The DPA referred the case to the Data Protection Board on April 19, 2023.

Holding

The Board upheld the DPA's decision. The conclusion is that the right to rectification was fulfilled by the hospital pursuant to Article 16 GDPR.

Firstly, it follows from the Health Personnel Act that health-related assessments, including assessments of the accuracy of medical records, must be made by the health enterprise and possibly by the state administrator. It is the health personnel who perform the health care who are obliged to keep patient records and who must assess what is relevant and necessary information about the patient and the medical assistance, cf. sections 39 and 40 of the Health Personnel Act. In this case, the County Governor (now the State Administrator) has already upheld the hospital's assessment, cf. section 42 of the Health Personnel Act.

Secondly, the data protection legislation does not give either the Data Protection Authority or the Data Protection Board the authority to review information in patient records for the purpose of ordering changes to the content of a record at the request of a patient or his/her relatives. Which information belongs in a medical record and what should be archived elsewhere is not regulated by data protection legislation and cannot be determined by the DPA or the Data Protection Board.

Lastly, the Board agrees with the Data Protection Authority's assessment that the hospital has processed the submitted requests for correction and supplementation in a manner that meets the requirements of the data protection regulations pursuant to Article 16 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Norwegian Privacy Board's decision on 10 October 2023 (Mari Bø Haugstad, Gunn Elin Lode, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Malin Tønseth)
The case concerns a complaint against the Danish Data Protection Authority's decision on 15 July 2022, where the Danish Data Protection Authority concluded that the complainant had fulfilled his right to correct and supplement information in his son's record.
Background of the case
In June 2019, A had sent a request to Hospital X with 18 points in which she wanted her son's record changed or supplemented. In a letter to A on 8 July 2019, the hospital complied with two of these points. The other requests for correction/supplementation were refused. A appealed the hospital's refusal to the County Governor in Y, who in a decision on 8 January 2020 upheld the decision from Hospital X.
A brought the case before the Data Protection Authority in November 2019. A's complaint to the Data Protection Authority is extensive and has dealt with several different data controllers. This case concerns claims for correction of medical records at Hospital X.
On 26 April 2021, the Norwegian Data Protection Authority asked Hospital X to explain the case management at the hospital and which assessments had been made in relation to A's request for deletion and correction. Hospital X explained in a letter on 21 May 2021.
The Norwegian Data Protection Authority assumed that Hospital X had fulfilled its obligation to correct/supplement and closed the case in a decision on 15 July 2022. A timely complained on 21 August 2022 about the Norwegian Data Protection Authority's decision. The Norwegian Data Protection Authority assessed the complaint, but found no grounds for changing its decision. The Norwegian Data Protection Authority forwarded the case to the Personal Data Protection Board on 19 April 2023. The parties were informed about the case in a letter from the board, and were given the opportunity to make any comments. A has given comments and submitted further documentation in letters on 1 and 14 August 2023 and in e-mail on 26 September 2023.
The case was dealt with at the board's meeting on 10 October 2023. The privacy board had the following composition: Mari Bø Haugstad (chair), Gunn Elin Lode, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin and Malin Tønseth. Secretariat manager Anette Klem Funderud was also present.
Briefly about the Norwegian Data Protection Authority's decision
The Norwegian Data Protection Authority points out that it follows from the Health Personnel Act that health professional assessments, including assessments of the correctness of record entries, must be made by the health authority and possibly by the state administrator in connection with complaints about refusal of correction.
The authority believes that A's objections, which are stored in the hospital's systems, meet the requirements for supplementing the personal data. It is not a requirement that the information be supplemented directly in the journal. In several cases concerning the child protection service, the Privacy Board has concluded that supplementing records is sufficient to meet a demand for correction, cf. PVN-2020-17, PVN-2020-18 and PVN 2020-22. The same principle must apply to requests for corrections in patient records.
The Danish Data Protection Authority concludes that A has fulfilled his right to rectification according to Article 16 of the Personal Data Protection Regulation.
Briefly about A's complaint
The tribunal perceives that A's main point of view is that Hospital X in its handling of the case has breached the Personal Protection Regulation article 12 no. 2 - 4, article 16, article 19 and article 5 no. 1 letter d.
A criticizes the hospital's handling of her rectification claim and believes that the manner in which the rectification/supplementation has taken place is not in line with the law. She also criticizes the hospital's archiving routines, including their assessment of which e-mails are entered as attachments in the medical record and which e-mails are archived elsewhere than in the medical record. She also complains about the long processing time and explains that this case actually started with her contact with the hospital in 2014.
In summary, A requests the Privacy Board to ask Hospital X to:
- explain how they have fulfilled Article 12 points 2 – 4, especially from February 2014 until October 2019.
- come up with concrete assessments as to why the e-mail of 22 June 2015 should not be included in the record (as the first explicit written information about ongoing mental abuse), when they have included the e-mail she sent on 20 August.
- explain why the journal was not corrected (in the journal itself) in 2016. The correct thing is that they received her letter, and why they did not take her letter from 2016 into account when they dealt with the request for correction in 2019.
- justify why her e-mails that supplement the patient record (including the e-mails from 22 June 2015) were not archived in the "hospital's systems" until October 2017 (2 years after Hospital X received them), and why these the supplementary information (which until now has been archived in case 15/10395) has not been forwarded either to the County Governor in 2017, the Child Protection Agency in 2019 and the Norwegian Data Protection Authority in 2021.)
- explain how the record (as it exists today, largely uncorrected) fulfills Section 39 of the Health Personnel Act on record keeping, where it is stated that the person responsible for keeping the record is responsible for the record being "maintained in accordance with good professional practice and must contain relevant and necessary information about the patient and the healthcare provider, as well as the information that is necessary to fulfill the duty to report or the duty to provide information laid down in law or pursuant to law'.
Furthermore, A points out:
This case is not about health assessments. It is a question of correcting actual, objective information about what came to light in the investigation in spring 2014, which is documented in the record, but which Hospital X has not reproduced correctly and comprehensively to the County Governor in 2017, the Norwegian Child Protection Agency in 2019 and the Norwegian Data Protection Authority in 2021. spread further.
PVN-2020-18 and PVN-2020-22 dealt with the correction of subjective information. That is not the case in this case.
Real rectification can only happen if the hospital corrects the medical record itself. This is important for both her and her son's legal certainty that information about the violence they were exposed to appears clearly in the record, because several bodies relate to the content of the record itself and not to documents archived elsewhere in the "hospital's systems". Information that appears in the medical record ensures the child's right to the right health care.
The Norwegian Data Protection Authority's reference to the child protection cases from the Personal Protection Board shows a lack of knowledge about how differently personal data is archived in child protection and at a hospital. In child protection, all documents are collected in a folder/journal and endorsements there will act as corrections. This is in contrast to the hospital, which files corrections to a patient record elsewhere in the "hospital's systems" than in the record.
Hospital X's view of the matter in brief
A has requested the correction, deletion and addition of information in his son's patient record. The hospital has assessed the request in accordance with the Health Personnel Act and the Patient Record Regulations.
The hospital must keep "relevant and necessary information about the patient and the health care" in the patient record. The hospital is also subject to the Archives Act and associated archive regulations. Correspondence from and to A is therefore not included in her son's journal, but is continuously archived in the company's case archive.
Since 2016, BUP has received a large amount of e-mail correspondence
from A. The e-mails have been addressed to several different players. It has been challenging to handle the amount of e-mails that have had different content; everything from complaints about correction and deletion, information about articles and legal text, claims and accusations directed at individual processors, system and clinic management. Hospital X has attempted to handle the correspondence on an ongoing basis and has attempted to respond to this, if the inquiries from A have contained new information.
The hospital feels that there is a large gap between what is the BUP clinic's review and conclusions and what is A's perception of the matter.
The Norwegian Privacy Board's assessment
The right to rectification of personal data follows from Article 16 of the Personal Data Protection Regulation:
"The data subject shall have the right to have incorrect personal information about himself corrected by the data controller without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by submitting a supplementary declaration.
The provision must be seen in connection with the requirement for correctness in Article 5 no. 1 letter d.
This case concerns demands for correction of personal data in a patient record. It is health personnel who carry out the health care who are obliged to keep a patient record and who must assess what is relevant and necessary information about the patient and the auxiliary aid, cf. the Health Personnel Act §§ 39 and 40. The purpose is to ensure that the record fulfills its function as a tool for the health services must be able to provide proper health care to the patient. What is relevant and necessary information is decided on the basis of health professional assessments.
Section 41 of the Healthcare Personnel Act states that it is healthcare personnel who must correct "incorrect or incomplete information, cf. the Personal Protection Regulation article 16". Hospital X does not consider the information A wants corrected to be relevant and necessary information about the son and the health care and therefore believes that the information should not be included in the record. The county governor (now the state administrator) has upheld the hospital's assessment as the right appeal body, cf. Section 42 of the Health Personnel Act.
Privacy legislation gives neither the Norwegian Data Protection Authority nor the Norwegian Personal Protection Board competence to review information in patient records with the aim of ordering changes to the contents of a record at the request of a patient or his/her next of kin. This does not only apply to healthcare assessments, but also includes journal notes which, for example, represent the doctor's minutes of what was said in a conversation between patient and practitioner. The correctness of such record keeping must be assessed by the health institution and possibly by the state administrator in connection with a complaint about refusal of correction. In the event of ambiguity or disagreement about what was said, supplementation will be relevant. What information belongs in a journal and what should be archived elsewhere is not regulated by privacy legislation and cannot be determined by the Norwegian Data Protection Authority or the Norwegian Personal Protection Board.
The tribunal agrees with the Norwegian Data Protection Authority's assessment that the hospital has processed the submitted rectification and supplemental requests in a way that meets the requirements of the personal data protection regulations according to the personal data protection regulation article 16. A' objections, which are stored in the hospital's systems, meet the requirements for supplementing the personal data. The tribunal agrees with the Norwegian Data Protection Authority that there is no requirement that the information be supplemented directly in the record.
The conclusion is that A has fulfilled his right to rectification according to Article 16 of the Personal Data Protection Ordinance.
The number of inquiries and the quantity of documents sent in the case mean that, in the tribunal's assessment, there is no reason to criticize the long processing time.
After this, A is not successful in his appeal.
The decision is unanimous.
Resolution
The Norwegian Data Protection Authority's decision is upheld.
Oslo, 10 October 2023
Mari Bø Haugstad
Manager