Persónuvernd (Iceland) - 2020061965

From GDPRhub
Revision as of 16:40, 21 December 2022 by Fz (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Persónuvernd - 2020061965
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 6(1)(c) GDPR
Article 9(2)(h) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 05.12.2022
Published: 05.12.2022
Fine: n/a
Parties: Social Services
National Case Number/Name: 2020061965
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Icelandic
Original Source: Persónuvernd (Iceland) (in IS)
Initial Contributor: Gauravpathak

The Icelandic DPA decided that a social service had a legal obligation to share sensitive personal data of a mother and her oldest child with the father of the oldest child. The processing was in compliance with Article 6(1)(c) and 9(2)(h) GDPR. However, also sharing the details of the women's other children violated the GDPR.

English Summary

Facts

The data subject is a mother. The personal data of her and her four children was shared by the social service of an Icelandic municipality, the controller, to the father and joined guardian of the oldest child. The personal data was shared in a letter and included information about the suicide attempt of the data subject, her addiction problem, as well as the the full names and social security numbers of all of the data subject's children. The data subject disputes that the social services were authorized to share this personal data.

The social services answered that they were required to share the information under Icelandic law. Article 21 of Act no. 80/2002 states that when child protection services receive information that a child's physical or mental health or development may be at risk due the behaviour of the parents or others, they must investigate the matter and make a decision without delay. The Article also obliges them to notify the (other) parents of the situation. Informing the father about the mother's suicide attempt and drug consumption habits was therefore required by the law. Regarding the sharing of details of the other children, the social services conceded that their conduct was not in line with data protection laws. However, the controller argued, the father of the oldest child could have obtained this information in other ways, such as by asking his child or through the national registry.

Holding

The Icelandic DPA held that the suicide attempt and addiction problems of the data subject constituted health data. Therefore, since GDPR categorizes health data as a special category of data, the processing has to comply with Article 6 as well as Article 9 GDPR. Considering the legal obligations of the social services under Act no. 80/2002, the DPA held that the social services rightfully shared the information about the mother with the father. The law does not clearly state what the content of notifications to the parents should be. However, in the opinion of the DPA, it was clear that such notifications must, among other things, contain sufficient information about the subject matter covered by the investigation. Thus, the data was legally processed based on Article 6(1)(c) and Article 9(2)(h) GDPR. Article 6(1)(c) GDPR entitles a controller to process data due to a legal obligation whereas Article 9(2)(h) justifies the processing of special categories of data when it is necessary for medicinal purposes or for the management of health systems and services.

However, with regard to the sharing of the names and social security numbers of the data subject's other children to the father of her oldest child, who does not have custody of the other children, the social service's conduct was in violation of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. 

Solutions

Social service processing of personal information

Case no. 2020061965

5.12.2022

Sensitive personal information includes i.a. health information, but it is not permitted to process sensitive personal information about individuals unless authorized to do so according to the Personal Protection Act. In this case, sensitive health information was processed, but the social service believed that it had to inform the father of the complainant's child about it according to the Child Protection Act.

----

The Norwegian Data Protection Authority ruled in a case where there was a complaint about the sharing of personal information by a municipality's social services about the complainant and her children to the father of her oldest child. More specifically, it was complained that social services sent a letter to the father of the complainant's eldest child with personal information about herself and her three other children, including sensitive personal information about the complainant and the full names and social security numbers of her other children.

The conclusion of the Personal Protection Agency was that the sharing of sensitive personal information about the complainant was in accordance with the law on personal protection and processing of personal information with regard to the content of the notification and the examination by the social services. With regard to the communication of the names and social security numbers of the complainant's other children to the father of the complainant's oldest child who did not have custody of them, it was the opinion of the Personal Protection Agency that the processing did not comply with the law on personal protection and the processing of personal information.

Ruling

about a complaint about the processing of personal data by social services [F] in case no. 2020061965:

i
Procedure

On June 22, 2020, Personal Protection received a complaint from [L], f.h. [A] (hereinafter the complainant) regarding the sharing by the municipality [C] (now social services [F]) of personal information about her and her children to the father of her eldest child.

Personal protection invited social services [F] to comment on the complaint by letter, dated October 8, 2021, and the organization's answers were received on November 26, 2021. In light of the municipality's answers, further information was requested by e-mail on December 2nd. Received the municipality's answers with today's letter. 8. s.m. With a letter on June 13, 2022, the complainant was given the opportunity to comment on the social services' explanations [F], and the complainant's answers were received by e-mail on the 16th p.m.

When resolving the case, all the above-mentioned documents have been taken into account, although not all of them are separately explained in the following ruling.

The processing of the case has been delayed due to the heavy workload at Personal Protection.

___________________

There is a dispute about whether social services [F] was allowed to send a letter, dated April 17, 2020, in a registered mail personal information about the complainant and her three children to the father of her fourth and oldest child who had joint custody with the complainant.

The complainant believes that social services [F] violated her by sending the letter in question which contained sensitive personal information about her, i.e. on m. information about a suicide attempt and an addiction problem, but the letter also stated the full names of all the complainant's children along with their social security numbers.

Social Services [F] believes that the processing is compatible with section 3. 9 art. Act no. 90/2018. The legal basis for the sharing of said personal information can be found in the 2nd sentence of the 3rd paragraph. Article 21 Child Protection Act no. 80/2002. According to the provision, child protection services must notify parents that notification according to Paragraph 1 Article 21 of the law has been received regarding their child. The aforementioned provision of the Child Protection Act does not deal with the content of the notification, but in the handbook for processing child protection cases it is assumed that parents are informed about the content of the notification. The complainant and her child's father shared custody of their son and therefore the father, as a party to the case, was sent the said notification by registered mail. Notification of the investigation of the case was in accordance with Article 14. administrative law no. 37/1993 and brought with it what the issue was and what the government's examination focused on. Then the right to information, Article 45. Act no. 80/2002 assumes that said information is accessible to parents. Communication of the complainant's sensitive personal information was based on items 2 and 8. Paragraph 1 Article 11 Act no. 90/2018.

Social Services [F] believes that sharing the names and social security numbers of the complainant's other children in the notification to the father of the oldest child was not in accordance with the Personal Protection Act, but it is general personal information that the aforementioned party was able to access through his son, as the children's half-siblings, or national registry.

II.
Conclusion
1.
Lawfulness of processing

This case concerns, on the one hand, whether social services [F] were authorized to share sensitive personal information about the complainant to the father of her child under the circumstances. However, the issue concerns whether social services [F] were authorized to share the general personal information of the complainant's other children to the same party. It concerns the processing of personal data that falls under the scope of Act no. 90/2018 and regulation (EU) 2016/679 and thus the authority of the Data Protection Authority. The municipality [F], which manages the municipality's social services, is considered to be the party responsible for the processing in question according to Act no. 90/2018, on personal protection and processing of personal data, and Regulation (EU) 2016/679.

All processing of personal data must be covered by one of the authorized provisions of Article 9. Act no. 90/2018, cf. Article 6 of regulation (EU) 2016/679. For example, it is possible to work with personal data if it is necessary to fulfill a legal obligation that rests on the responsible party, cf. Number 3. of the legal provision and point c of the regulatory provision. In addition, the processing of sensitive personal data must be compatible with one of the additional conditions of paragraph 1. Article 11 of the law, cf. Paragraph 2 Article 9 of the regulation. According to point b of 3. no. Article 3 of the law, health information is considered sensitive personal information, incl. information about drug, alcohol and drug use. From a complaint, it must be decided that information about the complainant's health and addiction problem has been processed. According to this, the case concerns the processing of sensitive personal information about the complainant. As is the case here, item 8 comes into consideration in particular. Paragraph 1 Article 11, to the effect that the processing of sensitive personal information is permitted if it is necessary to prevent diseases or to provide care or treatment in the field of health or social services and there is a special legal authorization for it, as long as it is carried out by an employee of such a service as is bound by a duty of confidentiality, cf. h-item 2. paragraph Article 9 of regulation (EU) 2016/679.

In addition to authorization according to the above, the processing of personal data must be compatible with all the principles of paragraph 1. Article 8 Act no. 90/2018, cf. Article 5 of regulation (EU) 2016/679. The principles stipulate, among other things, that personal data must be processed in a lawful, fair and transparent manner towards the data subject (paragraph 1 of the legal provision) and that it must be sufficient, relevant and not beyond what is necessary based on the purpose of the processing (paragraph 3 .).

When assessing the legality of processing according to the aforementioned provisions, provisions in other laws that are applicable in each case must also be taken into account. In paragraph 1 Article 21 Act no. 80/2002 states, among other things, that when child protection services receive a notification or receive information by other means that a child's physical or mental health or development may be at risk due to neglect, incompetence or behavior of parents, violence or disrespectful behavior by others, they must take a stand without delay, and no later than within seven days from when it received notification or information, whether there is a reason to start an investigation into the matter. It is also stated in paragraph 3. the same articles of the law that child protection services must notify parents that a notification has been received and of their decision on the occasion of it within a week of the decision being made.

Social services [F] has also referred to the fact that it had to notify the father of the complainant's child about the case in accordance with Article 14. administrative law no. 37/1993, who in light of his participation in the case has the right to information about the case. In Article 14 comes i.a. states that the party to a case has the right to comment on its content and that the administrative authority shall, as soon as possible, draw the party's attention to the fact that his case is being processed. The aforementioned provision contains the essence of the right to object, where the litigant is guaranteed the right to comment on a case before a decision is made, since his position is not stated in the case file or there is obviously no need for him to comment. In this way, the litigant can express his comments, point out misunderstandings or inaccuracies in the case documents and also point out sources that are a better basis for deciding a case.

The aforementioned provisions do not clearly state what the content of notifications to the parent should be. However, in the opinion of the Personal Protection Agency, it is clear that such notifications must, among other things, contain sufficient information about the subject covered by the child protection service's investigation. In this regard, refer to the opinions of the Parliamentary Ombudsman in cases no. 2896/1999 and no. 2954/2000.

In the opinion of the Personal Protection Agency, the only thing that can be determined from the case data is that the notice in question concerned a child protection case at social services [F] which directly concerned the complainant's addiction problem to some extent. Accordingly, and taking into account all of the above, it is the opinion of the Personal Protection Authority that the processing of personal information about the complainant that is discussed here has relied on item 3. Article 9 and number 8. Paragraph 1 Article 11 Act no. 90/2018, cf. Article 6(c) and point h of paragraph 2 Article 9 of regulation (EU) 2016/679. Then it will not be seen that the processing was unfair, cf. Number 1. Paragraph 1 Article 8 of the Act and point a of the 1st paragraph Article 5 of the regulation, violated the principle of proportionality, cf. Number 2. of the legal provision and point b of the regulatory provision or other principles regarding the processing of personal data, taking into account the content of the notification and the examination of the social services.

With regard to social services [F] sharing the names and social security numbers of the complainant's other children to the same person, who does not have custody of them, the social service's position is that it went against the provisions of the Personal Protection Act.

In the opinion of the Personal Protection Authority, there was no authorization according to Article 9. Act no. 90/2018, cf. Article 6 regulation (EU) 2016/679 for that processing. For that reason, it is the conclusion of the Data Protection Authority that the processing did not comply with the law and regulation.

Ruling:

The sharing of sensitive personal information about [A] by social services [F] was in accordance with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679.

The communication by social services [F] of general personal information about other children [A] than [B] to his father was not compatible with the provisions of Act no. 90/2018, on personal protection and processing of personal information, cf. regulation (EU) 2016/679, on authorization for the processing of personal data.

Privacy, December 5, 2022

Bjarni Freyr Rúnarsson Rebekka Rán Samper
Retrieved from "https://gdprhub.eu/index.php?title=Persónuvernd_(Iceland)_-_2020061965&oldid=30076"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki