Personvernnemnda - PVN-2024-05

From GDPRhub
Personvernnemnda - PVN-2024-05
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 16 GDPR
Article 17(3)(b) GDPR
Article 57(1)(f) GDPR
§ 39 helsepersonelloven
§ 40 helsepersonelloven
§ 41 helsepersonelloven
§ 42 helsepersonelloven
§ 26 pasientjournalloven
Decided: 27.08.2024
Published:
Parties:
National Case Number/Name: PVN-2024-05
European Case Law Identifier:
Appeal from: Datatilsynet (Norway)
23/04367-5
Appeal to: Unknown
Original Language(s): Norwegian
Original Source: Personvernnemnda (in Norwegian)
Initial Contributor: fb

The Data Protection Board partially upheld a DPA decision, stating that the DPA has the duty to investigate a complaint. However, it held that, according to national law, the DPA is not competent to handle complaints regarding the accuracy of a hospital’s patient records.

English Summary

Facts

The data subject underwent medical treatment in a hospital managed by the controller following an work related injury. The controller issued a report that was used by the data subject to apply for workers’ compensation. This application was rejected by the competent authority.

After that, the data subject filed a rectification and deletion request to the controller, asking the latter to modify the medical report. The controller rejected this request.

On 8 December 2023, the DPA closed the case without deciding whether the controller had violated the GDPR and without considering any corrective measures. The DPA pointed out that it does not have medical or healthcare expertise and, therefore, concluded that it was not appropriate to consider the complaint pursuant to Article 57(1)(f) GDPR.

Moreover, the DPA pointed out that, according to national law (see holding below) and as already stated by the Data Protection Board, the DPA does not have the power to carry out a real review of what information is correct or relevant to include in a patient record.

On 27 December 2023, the data subject complained about this decision. The DPA considered the complaint and upheld its decision not to conduct further investigations.

Therefore, on 2 April 2024, the case was submitted to the Data Protection Board (Personvernnemnda).

The data subject believed that the DPA has not considered her case and that the DPA has a duty to check that GDPR is complied with.

Holding

On the handling of the complaint by the DPA

First, the Board held that the DPA has closed the case without making a decision and without considering the data subject's complaint.

Pursuant to Article 57(1)(f) GDPR, the DPA shall investigate a complaint lodged by a data subject and investigate, to the extent appropriate, the subject matter of the complaint, as well as inform the complainant of the course and outcome of the investigation within a reasonable time.

According to the Board, this provision does not allow for a discretionary assessment of which complaints should be processed and which can be closed without processing.

Secondly, the DPA pointed out that keeping a patient record involves the processing of personal data. Sections 39 and 40 of the Health Personnel Act (Lov om helsepersonell m.v.) impose a duty on health personnel to keep patient records. These personnel must assess what is relevant and necessary information about the patient and the health care.

According to Section 42 and 43 of the Health Personnel Act, a person can demand to correct this record to the health personnel. Refusals of demands for correction may be appealed to the county medical officer.

Moreover, pursuant to Section 26 of the Patient Records Act (Pasientjournalloven), the Norwegian DPA supervises compliance with the GDPR, with the exception to supervisory tasks that are the responsibility of the Norwegian Board of Health Supervision.

The Board recalled a previous decision of its, where it had held that data protection legislation does not give either the DPA or the Board the authority to review information in patient records for the purpose of ordering changes to the content of a record at the request of a data subject. On the contrary, it had held that the correctness of such journal entries must be assessed by the health enterprise and possibly by the county medical officer in connection with an appeal against a refusal to rectify.

On the rectification and erasure request

Thirdly, the Board noted that the data subject’s rectification request has been stored in the hospital’s systems in a way that meets the requirements for supplementing personal data under Article 16 GDPR. Therefore, it considered that the controller fulfilled the rectification request.

Finally, the Board noted that the right to erasure does not apply to patient records, since they fall into the exception of Article 17(3)(b) GDPR.

Therefore, the Board upheld the data subject’s complaint that the DPA has not considered the case has been upheld. However, it did not uphold her claim that she can demand deletion or further rectification.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

The Privacy Board's decision on 27 August 2024 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Malin Tønseth and Hans Marius Tessem)
The case concerns a complaint from A about the Norwegian Data Protection Authority's decision on 8 December 2023 to close the case regarding the correction/deletion of health information at Hospital X, without making a decision.
Background of the case
A approached the Norwegian Data Protection Authority on 20 November 2023. She complained that Hospital X would not correct a specialist statement written by a section chief physician at the hospital in 2014 in connection with her application for compensation following an occupational injury. NAV approved the injury as an occupational injury, but refused As's claim for compensation. In A's view, the declaration contains incorrect information which she has demanded to be corrected/deleted. Her request for correction/deletion to the hospital at the data protection commissioner and to the State administrator in Y has not been successful.
In a letter to A on 8 December 2023, the Norwegian Data Protection Authority closed the case without deciding whether Hospital X had breached the Personal Data Act, and without assessing any corrective measures. The Norwegian Data Protection Authority had dealt with A's inquiry, and decided not to carry out further investigations into the matter.
A complained about the Norwegian Data Protection Authority's closure of the case on 27 December 2023.
The Norwegian Data Protection Authority processed the complaint and upheld its decision not to carry out further investigations. The case was forwarded to the Personal Protection Board on 2 April 2024. A was informed about the case in a letter from the board, and was given the opportunity to make comments. A has given his comments by email on 26 April 2024.
The case was dealt with in the board's meeting on 27 August 2024. The privacy board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Morten Goodwin, Hans Marius Tessem and Malin Tønseth. Investigation leader Anette Klem Funderud was also present.
Briefly about the Norwegian Data Protection Authority's decision
The Norwegian Data Protection Authority points out that it follows from the Health Personnel Act that requests for correction and deletion of health information must be addressed to the business where the health information is located, i.e. the health care provider, and possibly to the State Administrator in connection with a complaint about refusal of correction/deletion.
The Norwegian Data Protection Authority assumes that A has submitted a request for correction and deletion to Hospital X and the County Governor in Y (now the State Administrator in Y), but that the request has not been made, cf. the State Administrator's letter to A on 25 September 2023. In the letter 25. In September, the Norwegian State Administrator referred to two decisions, which the Norwegian Data Protection Authority has not obtained, as the Norwegian Data Protection Authority does not have the competence to review the Norwegian State Administrator's proceedings, cf. the Personal Protection Regulation article 57 no. 1 letter a.
The Norwegian Data Protection Authority points out that the Norwegian Data Protection Authority does not have medical or healthcare expertise. With reference to the Personal Protection Board's case, PVN-2023-06, the Norwegian Data Protection Authority assumes that the Norwegian Data Protection Authority cannot carry out a real review of which information is correct or relevant to include in a patient record.
The Norwegian Data Protection Authority then concludes that it is not appropriate to take the complaint into consideration, cf. the Personal Protection Regulation article 57 no. 1 letter f.
As's view of the case in brief
She complains that the Norwegian Data Protection Authority does not take her case into consideration. The Norwegian Data Protection Authority must check that the regulations are followed. The regulations are absolutely clear. If she requests it, she has a right to correct, supplement and delete errors in personal/health information.
She has documented that in this case there are several breaches of the Health Personnel Act and the Personal Data Protection Ordinance. When the Norwegian State Administrator has taken charge of the legislation, the Norwegian Data Protection Authority must be able to guide the Norwegian State Administrator on the right track.
She has asked Hospital X to correct all errors in her personal information that appear in the specialist declaration from 2014, but the hospital refuses.
It is not a question of overriding a diagnosis, but of correcting incorrect personal information in the specialist declaration from 2014 written by the section supervisor. The information has been reproduced by a case manager at NAV who refused the claim for compensation.
The Norwegian Privacy Board's assessment
The Norwegian Data Protection Authority has, with reference to article 57 no. 1 letter f, closed the case without making any decision and without taking a position on A's complaint. The reason for the complaint not being processed is that the supervisory authority does not have medical or health-related expertise, and that the supervisory authority does not consider it appropriate to take the case into consideration.
The Norwegian Data Protection Authority's duties follow from Article 57 of the Personal Data Protection Regulation. According to the provision, the Norwegian Data Protection Authority must process a complaint submitted by a registered person and investigate, to the extent that it is appropriate, the subject of the complaint, as well as inform the complainant of the course and outcome of the investigation within a reasonable period, cf. personal protection regulation article 57 no. 1 letter f. According to the board's assessment, the provision does not allow for a discretionary assessment of which complaints must be processed and which can be terminated without processing.
In cases where the Norwegian Data Protection Authority has not taken a position on the complaint, the Privacy Board has as a general rule sent the case back for new processing. Nevertheless, the tribunal does not consider it appropriate in this case to send the case back to the Norwegian Data Protection Authority. The tribunal emphasizes that the case is sufficiently informed and that the result in the case appears to be clear. The tribunal has therefore chosen to make a new decision.
This case concerns claims for correction and deletion of personal data in a specialist statement in A's patient record. Keeping a patient record involves processing personal data. It follows from Section 26 of the Patient Records Act that the Norwegian Data Protection Authority supervises the Act and regulations issued pursuant to the Act, with the exception of supervisory tasks that are the responsibility of the National Health Inspectorate and the State Administrator under the Health Inspectorate Act. It is clear from §§ 39 and 40 of the Health Personnel Act that it is the health personnel who carry out the health care who are obliged to keep patient records and who must assess what is relevant and necessary information about the patient and the health care. The purpose is to ensure that the record fulfills its function as a tool for the health services to be able to provide proper health care to the patient. What is relevant and necessary information is decided on the basis of health professional assessments.
In this case, hospital X has refused to correct and delete information in A's record. The county governor (now the State Administrator) has, as the right appeal body, upheld the hospital's assessment in 2014, 2015 and 2023, cf. the Health Personnel Act §§ 42 and 43. The tribunal has not found it necessary to obtain the hospital's assessment, or the State Administrator's assessment from 2014 and 2015, cf. the personal data protection regulation article 5 no. 1 letter c (on data minimisation).
In PVN-2023-06, the tribunal has made a statement about the Norwegian Data Protection Authority's and the tribunal's competence to decide on the deletion and correction of patient records:
"Privacy legislation gives neither the Norwegian Data Protection Authority nor the Norwegian Personal Protection Board the competence to review information in patient records with the aim of ordering changes to the contents of a record at the request of a patient or his/her next of kin. This does not only apply to healthcare assessments, but also includes journal notes which, for example, represent the doctor's minutes of what was said in a conversation between patient and practitioner. The correctness of such record keeping must be assessed by the health institution and possibly by the state administrator in connection with a complaint about refusal of correction. In the event of ambiguity or disagreement about what was said, supplementation will be relevant. What information belongs in a record and what should be archived elsewhere is not regulated by privacy legislation and cannot be determined by the Norwegian Data Protection Authority or the Personal Data Protection Board.
The tribunal assumes that A's request for correction is stored in the hospital's systems in a way that meets the requirements for supplementing the personal data in Article 16 of the Personal Data Protection Ordinance, and that she has thus been able to fulfill her request for correction.
The right to erasure according to article 17 does not apply to patient records, cf. no. 3 letter b, see Prop. 56 LS (2017-2018) section 32.4.2 (page 188). The tribunal further assumes that the request for deletion and the reasons for the refusal are recorded in As's record, cf. the Health Personnel Act section 43 second paragraph.
On this background, the Norwegian Data Protection Board agrees with the Norwegian Data Protection Authority that it is not appropriate to carry out further investigations. The information that is available is sufficient to be able to make a decision that A has no right to deletion of information in her journal under the Personal Data Act and that her claim for rectification under Section 16 of the Personal Data Act has been met.
A has been upheld in her complaint that the Norwegian Data Protection Authority does not take the case into consideration, but has not been upheld that she can demand deletion or further correction.
The decision is unanimous.
Resolution
A is not successful in his claim for correction and deletion.
Oslo, 27 August 2024
Mari Bø Haugstad
Manager