Tietosuojavaltuutetun toimisto (Finland) - 7285/183/18

From GDPRhub
Tietosuojavaltuutetun toimisto - 7285/183/18
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 7 GDPR
Article 9 GDPR
Article 25(2) GDPR
§ 6(1)(1) Finnish Data Protection Act
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.06.2022
Published: 07.07.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 7285/183/18
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
English
Original Source: Finlex (in FI)
Tietosuojavaltuutetun toimisto (in EN)
Initial Contributor: Vadym Kublik

The Finnish DPA held that an insurance company violated the fairness, data minimisation and data protection by default principles, among others, by requesting the entire medical record of the data subject from their healthcare provider to determine the insurance company's liability.

English Summary

Facts

An insurance company (the controller) asked data subjects who applied for life or health insurance to sign a general written consent form authorising the controller to obtain personal health information directly from their healthcare providers. The controller needed this data to determine the risk insurance at the application stage and to determine its liability when data subjects later claimed compensation. In some instances, the controller used that authorisation to request the entire medical record of the data subject for a specified period.

The controller relied on the following grounds to process data subjects' health data: 1) the contractual necessity under Article 6(1)(b) GDPR; 2) a power of attorney granted in the authorisation form to request personal data on behalf of the data subject under Article 15 GDPR; and 3) Article 6(1)(1) of the Finnish Data Protection Act (Tietosuojalaki) which allows insurance companies to process the health data of the insured persons and claimants to determine the insurance company's liability.

Upon a complaint from the healthcare provider, the Finnish DPA investigated this practice of the controller related to collecting the health information directly from medical units.

Holding

The DPA held that the controller could not rely on the contractual necessity under Article 6(1)(b) GDPR because the health data belonged to special categories of personal data regulated by Article 9 GDPR, which does not contain contractual necessity as a sufficient legal basis.

Further, the controller could not rely on a power of attorney either because the purpose of the right of access under Article 15 GDPR is, among other things, to check the legality of processing and the accuracy of data. Therefore, processing the data obtained under the right of access to determine the insurance company's own risk and liability would be contrary to the principle of purpose limitation under Article 5(1)(b) GDPR. Moreover, the current wording of the authorisation form does not make it clear and understandable for the data subject that it involves giving the controller a power of attorney to exercise the data subject's right of access.

Next, the DPA held that Article 6(1)(1) of the Finnish Data Protection Act (Tietosuojalaki) applies only to the processing of the information of insured parties and claimants. Therefore, the controller cannot process the health information of insurance applicants or request their information from healthcare services at the application stage because, at that point, the agreement has not been made yet.

In this respect, the DPA suggested that to process insurance applicants' health data, the controller could rely on the data subject's consent under Article 9(2)(a) GDPR if it met the validity criteria. Valid consent requires, among other things, giving data subjects a detailed explanation of what exact information about them will be collected and for what specific purposes the controller will use it. However, the controller's current authorisation form applies to an undefined set of data and healthcare providers. It is thus not specific enough to qualify as valid consent under Article 9(2)(a) GDPR.

Finally, the DPA held that data subjects deal with healthcare service providers for many different reasons, and not all information is relevant for determining the risk and liability of insurance companies. Therefore, requesting entire medical records of the data subject from healthcare services violated the principles of fairness of processing (Article 5(1)(a) GDPR), data minimisation (Article 5(1)(c) GDPR), and data protection by default (Article 25(2) GDPR).

The DPA suggested that if an insurance company requests an individual's health information from healthcare services, the request must be limited to information concerning only a specific case, illness or symptom necessary for assessing the insurance company's liability. The insurance company must also assess the period for which it is necessary to request information.

Consequently, the DPA ordered the controller to bring its processing activities in line with the GDPR.

Comment

The Finnish DPA issued similar decisions against two other insurance companies in cases 4680/182/18 and 3216/452/17 (in Finnish).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Requesting registered health information from the health care unit in connection with the assessment of the insurance company's liability

Keywords: insurance companies
health information

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 7285/183/18

Decision of the Data Protection Commissioner

Thing

Requesting the health status information of the registered person from the health care unit in connection with the assessment of the insurance company's liability

Data Controllers

Insurance company

A matter to be resolved

On August 17, 2018, the health care operator informed the data protection authorized office that the data controller has requested the patient's medical record entries from the health care unit without specifying the exact basis for the request. According to the health care operator, the registrar has requested the patient's entire medical record for the time period he determined, referring to the investigation of the insurance company's liability. The request has been made in the following way:

"XX is seeking compensation from our company. It appears from the documents that you probably have information about the insured's health that may affect the insurance company's obligation to pay compensation. Therefore, I would kindly ask you to provide the company with a copy of the patient's medical record in its entirety from [specified time period]."

The health care provider has asked the data protection commissioner's office to evaluate the matter, because according to the provider's understanding, based on the request, it is not possible to hand over patient data only to the extent that would be necessary for processing the compensation case.

In 2020 and 2021, the data protection commissioner's office has investigated the procedures of the data controller in situations where the data controller requests data on the health status of registered users from health care units in 2020 and 2021. This decision concerns the systematic and currently used method of operation of the data controller.

In this decision, the term insurance applicant means not only the actual insurance applicant, but also persons whose insurance is intended to be taken out in the event of illness or death, even if they are not the insurance applicant themselves.

The Data Protection Commissioner assesses the matter based on the General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council and the Data Protection Act (1050/2018). The following legal questions have to be resolved in the matter:

1) whether the data controller processes the health status data belonging to the special personal data groups of the registrants in connection with applying for voluntary insurances in accordance with Article 9 of the General Data Protection Regulation; and

2) in the processing of personal data, does the data controller comply with the regulation of Article 5, paragraph 1, subsection c of the General Data Protection Regulation on data minimization, the regulation of Article 5, paragraph 1, subsection a, on the reasonableness of data processing, and the regulation of Article 25, paragraph 2, on built-in and default data protection to the extent that the data controller requests health information about the data subject in healthcare of the unit and processes the information it receives to clarify the insurance company's liability.

Statement received from the registrar

The registrar has been asked to clarify the matter with clarification requests dated 10.9.2020 and 2.12.2020. The registrar has issued a written report on the matter on 9 October 2020 and 13 January 2021.

The process of mapping the insurance company's liability

The data controller was asked to explain on what basis of processing and for what purpose the data controller processes the information requested from the health care unit about the data subject. In addition, the data controller was asked to tell what the processing process before the execution of the data controller's insurance contract is like.

The data controller says that the request for a copy of the medical record mentioned in the notification made to the data protection commissioner's office was related to the insurance offered by the data controller.

According to the registrar, the insurance company has the right to process information about the state of health in order to clarify its liability. Before issuing life or health insurance, the insurance company must survey each customer's health condition and, based on that, assess the insurance company's risk, the price of the insurance and any limiting conditions for risk insurance. In addition, when the customer applies for insurance compensation, it is the insurance company's duty to clarify the insurance company's liability, i.e. the insured's right to insurance compensation according to the insurance contract. The policyholder is bound by the obligation to provide information in accordance with Section 22 of the Insurance Contracts Act (543/1994) when concluding the insurance contract, as well as the obligation in accordance with Section 69 of the Act to provide explanations when applying for compensation. According to the registrar, the basic nature of insurance operations is controlled risk-taking. The legislation concerning insurance companies is based on securing the interests of the insured. In this regard, the registrar has referred to Directive 2009/138/EC (Solvency II) and the Insurance Companies Act (521/2008) issued on the initiation and pursuit of insurance and reinsurance activities.

The controller states in the report that it processes the personal data of its customers in order to implement the insurance contract (Article 6, Paragraph 1, Subsection b of the General Data Protection Regulation). In the opinion of the data controller, the processing of the registered person's personal data regarding the state of health in order to determine the liability of the insurance company is permitted under section 6, subsection 1, point 1 of the Data Protection Act.

The registrar says that the data subject gives the registrar authorization to request and receive information about the health status of the registrant directly from the health care units in the health report filled out in connection with the insurance application. The registrant gives the controller the above-mentioned authorization to implement the policyholder's notification obligation, to clarify the insurance company's responsibility and to reduce the customer's inconvenience, as well as to speed up the handling of the customer's insurance case, among other things. The insurance company's right to access information in relation to a third party, such as health care units, is based on the contract between the insurance company and the policyholder, the authorization contained in it, and the Insurance Contracts Act.

In connection with the health examination, the registrar asks the insurance applicant for authorization to obtain information from the health care units in the following way:

"I authorize [the data controller] to request personal information about my health from the doctors who examined and treated me, hospitals, health centers, counseling centers, occupational healthcare units, mental health offices, private hospitals and social care units, as well as from other insurance companies and insurance and pension institutions, necessary for processing this application and a possible compensation case. In order to obtain the necessary information, [the data controller] may hand over to the above-mentioned parties individualized information about my state of health and my insurance. With regard to the National Pension Service's information, my authorization only applies to the information needed to process the compensation case.''

The registrar examines the registered person's health information requested from the health care unit to see if the policyholders have provided correct and complete information about their health status in the health reports they filled out in connection with the insurance application. It is important for the registrar to examine the information in order to clarify his responsibility and to rule out possible insurance fraud. In this regard, the registrar has referred to the provisions of Section 22, Section 24, Section 69 and Section 72 of the Insurance Contracts Act.

Information requested by the controller

The registrant was asked to clarify which information it requests for use in requests for information about the registered person sent to health care units related to insurance contracts. In addition, the data controller was asked to explain how the data controller ensures that it does not process information that is unnecessary for each customer's purpose. The registrar was also asked to tell how it works if the registrar has been provided with information that is not relevant for the execution of the insurance contract.

The registrar says that it strives to offer customers the most hassle-free way to obtain insurance and to minimize situations in which the customer's information is requested from the healthcare unit. In all cases, it is not necessary to request additional information about the registrant from the healthcare units. [...]. If the customer cannot sign a short health report, we will switch to using an extensive health report. In an extensive health examination, the operating principle is that the preliminary questions are set in such a way that they take into account as much and as accurately as possible the medical facts on the basis of which a decision can be made and the risk arising from the insurance for the insurance company can either be accepted or rejected by the insurance company. The controller has delivered to the data protection commissioner's office copies of the narrow and extensive health report he used.

The registrar has said that when processing health reports, the responsibility selection handler is in contact with the health care unit on a case-by-case basis to obtain additional information. On the one hand, the controller has stated that the information requests are not always the same, but are modified to suit the case. The request for additional information can be individualized regarding clarifications on a certain disease or topic and concern a doctor's opinion or a copy of the medical report. The content of the information request to the healthcare unit is based on the type of insurance contract and insurance coverage the customer is applying for. The period from which information is requested is determined based on the expert's assessment. There are differences in the insurance products, and each cover only covers insurance events according to its terms, such as death and serious illness. In addition, when determining liability, the limitation conditions set for the insurance contract should be identified. The content of the information requests is therefore based on the data controller's risk management, choice of responsibility and medical assessment.

On the other hand, the data controller has stated that it is bound by the confidentiality obligation according to Chapter 31, Section 2 of the Insurance Companies Act, and for this reason, the data controller cannot specify the basis for accessing the data to the health care unit in more detail than was specified in the case disclosed to the data protection commissioner's office. When the registrar evaluates the conditions for the implementation of the insurance contract, it needs information about the insured's age and health for decision-making. In order to make an insurance decision, the registrar requests medical records, which also include laboratory tests and diagnoses. […]. According to the registrar, it needs the essential health information related to the requested security for the specified period. […].

According to the registrar, the assessment of the health status of the registered person made by the doctor treating the patient in the health care unit does not fulfill the policyholder's obligation to provide information to the full extent. The doctor treating the patient cannot make an assessment of the insurance company's liability on behalf of the insurance company, as the assessment of liability requires knowledge of the insurance contract, its terms and conditions and insurance legislation and settlement practice. In the insurance company, liability assessment is handled by liability selection experts, claims processors and insurance doctors, as well as other experts in the insurance industry.

The registrar also states that if there was no authorization procedure for the registrar, the registered person should request the necessary information from the health care unit in connection with the insurance application themselves and deliver it to the registrar. According to the registrar, the healthcare unit must, on the basis of the registrant's authorization, give the registrar the same information as it would give to the registrant. Based on the authorization signed by the registrant, the controller requests health information on behalf of the data subject using the data subject's rights according to Article 15 of the General Data Protection Regulation. If the information is not given to the data controller based on authorization from the health care unit, it must be given to the customer himself in any case. In accordance with § 22 of the Insurance Contracts Act, the registrant is obliged to give correct and complete answers to the questions posed by the insurance company already when applying for insurance, and during the insurance period, without undue delay, to correct the information he has given to the insurance company, which he finds to be incorrect or incomplete.

In addition, the data controller states that, pursuant to Article 16 of the General Data Protection Regulation, the data subject has the right to demand that the health care unit correct inaccurate and incorrect data concerning the data subject, if the health status data had been previously processed in the health care unit in such a way that the insurance company would not be able to clarify its responsibility and the data subject would not be able to comply with his obligation to provide information according to the Insurance Contracts Act directly through the authorization through.

The starting point for the evaluation of the customer's health status data is a medical probability assessment of the effect of the health status on the probability of an insurance event. Determining the registrar's liability is based on the registrar's and reinsurer's liability selection guidelines. Liability settlement is governed by the legislation binding the insurance company, especially insurance and data protection legislation, good insurance practice and medicine.

In the data controller's opinion, information requests do not request information that is unnecessary in terms of determining the purpose of use, i.e. contractual liability. In order to clarify its responsibility, the registrar must make sure that the policyholder has not left essential information about his health in the medical examination. The registrar says that, for this reason, it is also unable to specify in advance which information is necessary to clarify its liability and to ensure the policyholder's obligation to provide information.

The registrar also informs that if the healthcare unit provides the registrar with information that is judged to be obviously irrelevant in terms of the execution of the insurance contract in the selection of liability, the received information will be sent back with a note that the information sent is irrelevant and the information will be deleted. If necessary, the data controller reports a data protection violation in accordance with the process. The controller has listed the following points in summary, which support the minimization of personal data processing carried out by it:

- Only necessary information is requested

- There is a process for handling data protection violations, for example in the event that the wrong person's information is received, or information is sent using the wrong distribution

- Limited access rights to health information are in use, including a process for processing extensive health reports

- Quality control is implemented in the responsibility selection process

- Information security and data protection are taken into account as part of the processes of the registrars

- Personal data retention periods are taken care of

In the view of the data controller, the large-scale systematic deletion of information about health status before the possible compensation processing process would endanger the legal protection of the customer. Before the liability of the insurance company begins, insurance companies must be able to limit the liability of the insurance company proportionately. If information regarding the state of health is not obtained sufficiently comprehensively and in a timely manner for the insurance company's choice of liability, it will have an impact on the coverage of the insured customer's security and this will only become apparent afterwards in the processing that takes place in the compensation situation. In this case, the purpose of taking out the insurance is not fulfilled from the customer's point of view. If the insurance company is not able to charge the customer a price that is properly proportionate to the risk, this could, in the view of the registrar, negatively affect the customers in such a way that insurance premiums might have to be increased. The insurance company must also act equally towards customers, so the compensation line must be uniform and in accordance with good insurance practice.

The data protection officer's decision and reasons

1. Legality of processing health data belonging to special personal data groups

Decision

Based on the reasons presented in more detail below, the data protection commissioner considers that the data controller cannot process the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for, based on the provisions of section 6, subsection 1, point 1 of the Data Protection Act. For this reason, the data controller cannot also request the health status information of these persons from the health care unit during the insurance application phase, pursuant to the provisions of Section 6, Subsection 1, Clause 1 of the Data Protection Act.

Based on the more detailed assessment presented below, the processing of the special personal data groups of the voluntary insurance applicant by the controller does not comply with Article 9 of the General Data Protection Regulation. For this reason, the Data Protection Commissioner orders the data controller pursuant to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing operations in line with the provisions of Article 9 of the General Data Protection Regulation, when the data controller processes the health data of the applicant for voluntary insurance or the health data of the person for whose death, illness or injury voluntary insurance is being applied for. .

The Data Protection Commissioner leaves it to the discretion of the data controller to determine the more precise appropriate measures, but orders to submit to the Data Protection Commissioner's office by July 29, 2022 a report on what measures the data protection officer has taken as a result of the decision, unless it applies for an amendment to this decision.

On applicable legislation

The General Data Protection Regulation of the European Parliament and the Council is immediately applicable law in the member states. The General Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and specify matters specifically defined in the regulation. The general data protection regulation is specified in the national data protection law.

In principle, pursuant to Article 9, Paragraph 1 of the General Data Protection Regulation, the processing of health-related information is prohibited. However, processing is permitted if one of the processing conditions according to Article 6 of the General Data Protection Regulation is met and if, in addition, one of the special processing grounds mentioned in Article 9 is also met.

In accordance with Section 6, Subsection 1, Section 1 of the Data Protection Act, Article 9, Section 1 of the Data Protection Regulation does not apply to information obtained in the course of insurance operations handled by the insurance institution about the health, illness, or disability of the insured and the claimant, or information about the treatment measures assigned to him or similar actions that are necessary to determine the insurance institution's liability.

According to § 1, the Insurance Contracts Act applies to insurance other than statutory insurance. In accordance with Section 2, Subsection 1, Clause 4 of the Insurance Contracts Act, the policyholder means the person who has entered into an insurance contract with the insurer, and in accordance with Clause 5, the insured means the person who is the subject of personal insurance.

Reasoning

In the case under consideration, the issue is voluntary insurance. The Insurance Contracts Act sets a general framework for contracts, but the scope of insurance coverage and many details of the conditions are specific to the insurance company.

Before concluding the insurance contract, the registrar maps the insurance applicant's health status in the selection of liability based on the information provided by the insurance applicant in the health examination and the medical record information requested from the health care unit. The registrar has stated that it processes the data to implement the insurance contract (Article 6, paragraph 1, subparagraph b of the General Data Protection Regulation).

According to Section 6, Subsection 1, Section 1 of the Data Protection Act, Article 9, Section 1 of the Data Protection Regulation does not apply to information obtained in the course of insurance operations handled by the insurance institution about the health, illness, or disability of the insured and the claimant, or information about treatment measures directed at him or comparable actions that are necessary to determine the insurance institution's liability. The provision in question has been issued pursuant to the national discretion of the General Data Protection Regulation and is based on Article 9, paragraph 2, subparagraph g of the General Data Protection Regulation. The drafts of the Data Protection Act state that the detailed regulation of insurance institutions, together with the requirement of a license for insurance operations and the right of processing limited to ascertaining liability, can be considered to constitute appropriate and special measures to protect the basic rights and interests of the data subject.

According to Section 11 of the Personal Data Act, which was in force before the Data Protection Act was enacted, the processing of sensitive personal data is prohibited, and sensitive data was considered to be, for example, personal data that describes a person's state of health, illness or disability, or treatment measures directed at him or actions comparable to them. However, according to Section 12 of the Personal Data Act, this did not prevent the insurance institution from processing information obtained in the insurance business about the insured's and claimant's state of health, illness or disability, or about the treatment measures or comparable measures applied to them. The regulation of the currently valid Data Protection Act thus corresponds to the regulation of the previously valid Personal Data Act.

According to Section 2, Subsection 1, Clause 4 of the Insurance Contracts Act, the policyholder means the person who has entered into an insurance contract with the insurer. According to Section 2, Subsection 1, Clause 5 of the Insurance Contracts Act, insured means the person who is the subject of personal insurance. According to the provisions of the Insurance Contracts Act, the insured of life insurance is a person whose death or survival insurance has been taken out. The insured of accident insurance is a person whose insurance has been taken out in case of accidental injury or death.

The Data Protection Commissioner draws attention to the fact that the regulation according to section 6, subsection 1, point 1 of the Data Protection Act is limited only to the processing of information about the health, illness or disability of the insured and the claimant. During the insurance application phase, the insurance contract has not yet been concluded.

Information requested from the health care unit

Personal data must be processed in accordance with the law, appropriately and transparently from the point of view of the data subject (data protection regulation, Article 5, paragraph 1, subparagraph a). Fairness is a general principle regarding the processing of personal data, which requires, among other things, that personal data is not processed in an unexpected or misleading way for the data subject. Registrants must be guaranteed the greatest possible right to self-determination in determining the use of their own personal data. The most important purpose of data protection legislation is that registered users retain control over their own personal data. Therefore, when processing data, it should be taken into account that what kind of processing is in accordance with the expectations of the registered users.

The health care information requested by the registrar concerns the registered health data collected during the care relationship, where the starting point has been the confidentiality of the care relationship between the registered person and the health care unit. In accordance with § 12 of the Act on the Status and Rights of the Patient (785/1992, the Patient Act), the healthcare professional must enter in the patient documents the information necessary to secure the organization, planning, implementation and monitoring of the patient's treatment. According to the Data Protection Commissioner, the information collected during the care relationship is not necessarily limited to health-related information only. The information may reveal, for example, information about ethnic origin, religious beliefs, or sexual behavior and orientation. During the treatment relationship, the data subject has disclosed the information in order to receive the treatment required for his health condition. The data may be particularly sensitive, and their processing may, depending on the context, cause significant risks to the protection of the data subjects' private lives and possibly other fundamental rights and freedoms.

The obligation of the health care and medical care provider to keep patient documents confidential has been stipulated in several contexts. In Section 13 of the Patient Act, the starting point is that the information contained in patient documents is confidential. According to section 13, subsection 2 of the Patient Act, a healthcare professional may not, without the patient's written consent, give information contained in patient documents to a third party. According to section 13 subsection 3 of the Patient Act, disclosure of information is permitted in addition to the patient's consent only in limited situations, such as the necessity of the patient's examination and treatment or based on a specific provision of the law. The processing of patient documents is therefore associated with a strong need to respect and protect the patient's privacy.

For the reasons stated above, the data protection commissioner considers that the provision of section 6, subsection 1, point 1 of the Data Protection Act regarding the processing of health data of the insured and the claimant in the insurance business cannot be extended to the registered person who is an insurance applicant during the insurance application phase. Registrants must be able to rely on the verbatim regulation of the Data Protection Act when applying for insurance. The processing of health data belonging to special personal data groups contrary to the statutory regulation is not in accordance with the reasonable expectations of the data subjects. Due to the need for strong privacy protection related to patient documents, it is also not possible for the data to be processed contrary to the literal regulation.

Therefore, the data protection commissioner considers that it is not possible to apply the provisions of Section 6, Subsection 1, Clause 1 of the Data Protection Act to the processing of the insurance applicant's health data and the request for health data from the health care unit.

Consent as a basis for processing special personal data groups

Although the Data Protection Commissioner leaves to the discretion of the data controller the determination of more precise appropriate measures due to the order given to the data controller, the Data Protection Commissioner wishes to point out in this context that, according to the Data Protection Commissioner's view, it would be possible for the data controller to process the health information of insurance applicants before concluding an insurance contract based on consent. The Data Protection Commissioner explains his view in more detail below.

In accordance with Article 9, paragraph 2, subparagraph a of the General Data Protection Regulation, the prohibition on processing special groups of personal data does not apply if the data subject has given his express consent to the processing of the personal data in question for one or more specific purposes. In accordance with Article 4, paragraph 11 of the General Data Protection Regulation, the data subject's "consent" means any voluntary, individualized, informed and unambiguous expression of will by which the data subject accepts the processing of his personal data by giving a statement expressing consent or by taking an action clearly expressing consent.

Article 7 of the General Data Protection Regulation stipulates the conditions for consent. In accordance with Article 7, paragraph 4, when assessing the voluntariness of the consent, it must be taken into account as comprehensively as possible, among other things, whether the execution of the contract, including the provision of the service, is conditioned by consent to the processing of personal data that is not necessary for the execution of the contract in question.

The European Data Protection Board has issued guidelines 05/2020 on consent according to the General Data Protection Regulation. In the guidelines, it has been stated that in Article 9, Paragraph 2 of the General Data Protection Regulation, which provides for special exceptions to the processing of special groups of personal data despite the general processing ban, the need for the implementation of the agreement is not provided for as such an exception. In this regard, the data controllers should find out whether one of the special exceptions provided for in Article 9, paragraph 2, subparagraphs b - j, could apply to such a situation. If none of the exceptions set forth in subsections b - j apply to the situation, obtaining express consent in accordance with the conditions for valid consent laid down in the General Data Protection Regulation is the only possible legal exception on the basis of which the controller could process data belonging to special personal data groups.

As an example, the guidelines refer to a situation where a customer books a flight and in this context asks the airline for travel assistance in getting on the plane. The airline then asks the customer to provide the airline with information about their health status so that the airline can identify what kind of help the customer needs in order to arrange appropriate services for the customer. In this context, the airline requests express consent to the processing of the customer's health data for the purpose of arranging assistance. The Data Protection Council has stated with regard to this example situation that, since the information is necessary to perform the requested service, Article 7, paragraph 4 of the General Data Protection Regulation does not apply.

On the other hand, the Data Protection Commissioner also draws the controller's attention to the fact that in accordance with Article 7, paragraph 4 and paragraph 43 of the introduction of the Data Protection Regulation, it is not desirable to require, in connection with the execution of the contract, that the data subject must give his consent to the processing of personal data that is not necessary for the execution of the contract in question. If consent is given in such a situation, it is not considered voluntarily given. Below, the data protection commissioner's second decision deals with what kind of processing of personal data to determine the insurance company's liability is in accordance with Article 5(1)(a) and (c) and Article 25(2) of the General Data Protection Regulation.

The Data Protection Commissioner also draws attention to the fact that, in accordance with Article 7, paragraph 3 of the General Data Protection Regulation, the data subject must have the right to withdraw his consent at any time. Withdrawal of consent does not affect the legality of processing carried out on the basis of consent prior to its withdrawal. Before giving consent, the data subject must be informed of this. Withdrawing consent must be as easy as giving it.

On the authorization requested by the registrar

The data protection commissioner also evaluates the current operating method of the data controller, in which the data controller requests the registered authorization to request health data from healthcare units in connection with the health report form.

Based on the information provided by the registrar, in connection with all insurance applications, it requests authorization from the registered person to request information from the health care unit, if the conclusion of the insurance contract requires a medical choice of liability. The registrar acts this way despite the fact that in all cases the registrar does not request the insurance applicant's health information from the health care unit. During the application phase, the registrants sign an authorization that the health care units are allowed to provide the personal data regarding the registrant's state of health necessary for processing the insurance application and possible compensation case to the registrar.

Paragraph 43 of the preamble of the Data Protection Regulation specifies that consent is not considered to have been given voluntarily if it is not possible to give separate consent for different personal data processing operations, despite the fact that this is appropriate in individual cases. The guidelines of the European Data Protection Board state that if consent is obtained in full accordance with the General Data Protection Regulation, it is a tool that data subjects can use to control whether their personal data is processed or not. According to the instructions, the conditions related to "individualized" consent aim to ensure a certain degree of control and transparency for the data subject. The prerequisites for individualized consent are that the data controller observes accuracy in requests for consent. In each separate request for consent, the controller must explain exactly what data is processed for each purpose, so that the data subject is clear about the different options and their effects. Obtaining valid informed consent in accordance with the instructions requires that the data subject is informed about what information is collected and used.

According to the Data Protection Commissioner's opinion, the current form of authorization used by the data controller applies to an undefined set of registered stored health data in the patient registers of different healthcare units. Referring to the regulation of the Data Protection Regulation and the guidelines of the European Data Protection Board issued pursuant to it, the Data Protection Commissioner considers that the consent requested from the data subject is not sufficiently specific and the consent request does not follow such precision that policy applicants could control whether their personal data is processed or not, and which data for each purpose will be processed.

Therefore, the data protection commissioner considers that the general authorization requested by the data controller in connection with the health examination to request information from different health care units for the processing of the insurance case is not sufficient to fulfill the requirement for the processing of special personal data groups according to Article 9, paragraph 2, subparagraph a of the General Data Protection Regulation.

Power of attorney for exercising the right to inspect your own data

The Data Protection Commissioner also evaluates the statement of the data controller, according to which the data controller can, on the basis of the authorization, act on behalf of the data subject by using the right to inspect the data subject's own data referred to in Article 15 of the Data Protection Regulation.

The Data Protection Regulation does not regulate the use of a representative in matters concerning the exercise of the data subject's rights. However, in all personal data processing, the controller is obliged to comply with the personal data processing principles laid down in the General Data Protection Regulation and in accordance with Article 5.

The Data Protection Commissioner draws attention to the fact that the data controller requests the health data of the registrants from the health care units for the purpose of determining the liability and risk of the insurance company. If the data controller were to act as the data subject's representative in a matter concerning the right to inspect their own data on the basis of a power of attorney signed by the data subject, then the data subject's right to inspect their own data would also be the purpose of the personal data processing. The purpose of the right to inspect your own data is, among other things, to check the legality of the processing and the accuracy of the data. If the representative of the registered person acting on the basis of a power of attorney begins to process the information obtained as a representative to ensure the fulfillment of his own interests, such as to exclude the possibility of fraud as defined in the Insurance Contracts Act, the issue is then a new purpose of use. Such a procedure is therefore contrary to the principle of purpose-relatedness in Article 5, paragraph 1, subparagraph b of the General Data Protection Regulation.

With regard to the controller's statement, the Data Protection Commissioner also draws attention to the Deputy Data Protection Commissioner's decision 7635/162/21, where it has been stated with regard to the registered person's right of inspection that the registered person has the opportunity to use this right so that he can stay informed about the legality of the processing and check it himself. In the decision, it was stated that the authority could not require the registrant to provide itself with the information obtained based on the use of the registrant's inspection right, and therefore does not use the registrant's inspection right as a tool for the authority's information acquisition.

In addition, the Data Protection Commissioner draws attention to the fact that data processing must be understandable, i.e. the data subject must have an appropriate understanding of what he can expect from the processing of his own personal data. From the point of view of the registered person, it is not transparent or understandable that the current form of authorization used by the registrar involves signing a power of attorney in order to exercise the right to inspect the registered person's own data.

The data protection commissioner states that the authorization to be signed in connection with the health examination related to the insurance contract cannot include the fact that the data subject authorizes the controller to use the right to inspect their own data according to Article 15 of the General Data Protection Regulation.

2. Data minimization, reasonable processing and built-in and default data protection

Decision

Based on the reasons presented in more detail below, the data controller's method of operation is, in the opinion of the Data Protection Commissioner, contrary to Article 5(1)(a) and (c) and Article 25(2) of the General Data Protection Regulation, when the data controller requests information about the health status of the registered person from the health care unit and processes the information received in order to determine the liability of the insurance company. For this reason, the Data Protection Commissioner orders the data controller pursuant to Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing of personal data into compliance with Article 5, paragraph 1, subparagraphs a and c, and Article 25, paragraph 2 of the General Data Protection Regulation.

On the basis of this regulation, the data controller must identify the requested information in the request for health status information of the registered person submitted to the health care unit to a specific matter, case, illness or symptom that is of factual importance in assessing the data controller's responsibility. The registrar must also assess from which period it is necessary to request the health status information of the registered person from the health care unit in order to clarify the responsibility of the registrar and, based on this, limit the period from which the health status information of the registered person is requested from the health care unit.

The Data Protection Commissioner leaves it to the discretion of the data controller to determine the more precise appropriate measures, but orders to submit to the Data Protection Commissioner's office by July 29, 2022 a report on what measures the data protection officer has taken as a result of the decision, unless it applies for an amendment to this decision.

Based on the reasons presented in more detail below, the data protection commissioner gives the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation, because the personal data processing actions carried out by the data controller have been in violation of Article 5, paragraph 1, subparagraphs a and c, and Article 25, paragraph 2 of the General Data Protection Regulation, when requested by the data controller, concerning the state of health of the data subject. information about the health care unit and information received by the data controller during processing.

On applicable legislation

According to Section 22 of the Insurance Contracts Act, the policyholder and the insured must, before the insurance is issued, give correct and complete answers to the questions posed by the insurer, which may be relevant in terms of assessing the insurer's liability. In addition, during the insurance period, the policyholder and the insured must, without undue delay, correct any information they have provided to the insurer that they find to be incorrect or incomplete.

According to Section 37 of the Insurance Contracts Act, the insurance terms may limit the insurer's liability for the consequences of the illness or injury covered by the insurance on the basis that the illness or injury already existed when the insurance was applied for, and the limitation is based on the information obtained by the insurer about the insured's health before issuing the insurance.

According to Section 69 of the Insurance Contracts Act, the applicant for compensation must provide the insurer with such documents and information as are necessary to clarify the insurer's liability and which can reasonably be required of him, also taking into account the insurer's possibilities to obtain a statement.

According to Article 5(1)(c) of the General Data Protection Regulation, personal data processed must be appropriate and relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").

According to Article 5, paragraph 1, subparagraph a of the General Data Protection Regulation, personal data must be processed legally, appropriately and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency").

According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller is obliged to take appropriate technical and organizational measures to ensure that, by default, only personal data necessary for the specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability.

Reasoning

The registrar requests the health status information of the applicant for voluntary insurance from the health care unit in order to clarify his responsibility according to the Insurance Contracts Act. The registrar has said that during the insurance application phase, it requests information primarily from the insurance applicant himself and tries to minimize the situations where the registrar has to request the insurance applicant's information from the health care unit.

The controller has stated that in some cases the request for additional information to the health care unit may be specific to a specific disease or topic and that information is requested for a period defined based on an expert's assessment. Despite this, the data controller has stated that in those cases where the data controller makes a request to the health care unit, the data controller will request access to the medical records of the insurance applicant for the specified period. In addition, the data controller has stated that it has the right to ensure that the data subject has not left essential information about his health in the health examination. For this reason, the data controller is not able to specify the pre-defined period in more detail in the request sent to the health care unit, which information about the data subject the data controller needs to obtain.

According to the registrar, the assessment of the health status of the registered person made by the doctor treating the patient is also not sufficient to determine the liability of the insurance company, as the assessment of liability requires knowledge of the insurance contract, insurance legislation and settlement practice. According to the registrar, it also needs information about the registered person from the health care unit in order to rule out possible insurance fraud. The registrar has stated that it must be able to assess its liability in a timely manner before concluding the insurance contract, so that the limitations to the coverage of the insurance cover do not become apparent to the policyholder only after the fact in the handling of claims.

Based on the explanation provided by the data controller, it would seem that if the data controller decides to make a request for information to the health care unit, in some cases the data controller specifies the request for additional information to be sent to the health care unit. Despite this, according to the case brought to the attention of the Data Protection Commissioner's office and the report given, the procedure used in the organization of the data controller is also to request the registered person's entire medical record for a specified period.

The Data Protection Commissioner assesses the controller's operation method based on the provisions of the Insurance Contracts Act and the Data Protection Regulation opened above.

In accordance with paragraph 27 of the introduction to the General Data Protection Regulation, the data protection regulation does not apply to information about deceased persons. For this reason, in this decision, the data protection commissioner does not evaluate the processing of health data of deceased persons based on the data protection regulation.

When evaluating the registrar's method of operation, attention must first be paid to the fact that under Section 22 of the Insurance Contracts Act, the insurance applicant's obligation to provide information is limited to information that may be relevant in terms of assessing the insurer's liability. In the drafts of the Insurance Contracts Act, it is specified that the policyholder's obligation to provide information only applies to matters that may be relevant in terms of assessing the insurer's liability. It has been established in the legal literature that the matters inquired by the insurance company must, based on experience, be closely related to the insurer's risk assessment. In the same context, it has been established that such information, which is not relevant in isolation, can together form a whole that is relevant for risk assessment. For example, minor illnesses must be reported when asked, even if the reporting party considers the information irrelevant in terms of the insurer's liability.

Also in connection with applying for compensation, the insurer must be given the information necessary to determine the insurer's liability pursuant to Section 69 of the Insurance Contracts Act. With regard to applying for compensation, the drafts of the Insurance Contracts Act specify that documents and information necessary to establish liability include, for example, those that can be used to determine whether an insured event has occurred and how much damage has occurred. The claimant's obligation to clarify also applies to matters unfavorable to him. In personal insurance, for example, the claimant must not fail to submit the necessary medical certificate, even if this would indicate a failure to provide information.

The provisions of the Insurance Contracts Act presented above should be evaluated together with the regulations regarding data minimization and built-in and default data protection. The principle of data minimization (Article 5(1)(c) of the General Data Protection Regulation) is specified in paragraph 39 of the preamble of the General Data Protection Regulation, according to which personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. In addition, the Data Protection Commissioner draws attention to the European Data Protection Board's guidelines on built-in and default data protection, according to which key elements of the data minimization principle include, among other things:

- Avoiding processing – avoid using personal data at all, if it is possible in connection with each purpose.

- Limitation of processing – limit the amount of personal data collected only to what is necessary for the purpose.

- The materiality of the data being processed – the personal data must be relevant for the processing in question, and the controller must be able to demonstrate the materiality.

- Necessity of the processed data – each group of personal data must be necessary for the specified purposes, and must be processed only if the purpose cannot be fulfilled by other means.

According to the guidelines of the European Data Protection Board, the basic condition for the processing of personal data is to include data protection in the processing operations already by default. It is the responsibility of the data controller to define in advance the specific, specific and legal purpose for which the data is processed. By default, the adopted operating methods should be such that the controller processes only such personal data as is necessary for each specific purpose of processing.

For the reasons stated above, the data protection commissioner considers that, based on the regulation of the Insurance Contracts Act and the Data Protection Regulation, the data controller must in all cases specify in the request to the health care unit regarding the data on the health status of the registered person, which relevant information and from which time period the data controller requests access. This means that the data controller must limit the requested information to a specific issue, case, illness or symptom that is of actual importance in assessing the data controller's responsibility. The registrar must also assess from which period it is necessary to request the health status information of the registered person from the health care unit in order to clarify the responsibility of the registrar and, based on this, limit the period from which the health status information of the registered person is requested from the health care unit. In the already sent request, the data controller must limit the requested information to only necessary information, so that the data controller can also demonstrate that it requests from the health care unit only such data on the health status of the registered person that is necessary in the evaluations concerning the clarification of the data controller's responsibility.

The processing of patient documents requested from health care units involves a strong need to respect and protect the patient's privacy, and this is stipulated, among other things, in Section 13 of the Patient Act. In the worst case, the processing of the data in question may involve the risk of, for example, humiliating the data subject or spreading information about the family's private life. The starting point for processing patient documents is that the data subject can and has been able to expect during the treatment relationship that health data will be processed with respect for the data subject's privacy.

The registered person may have dealt with the health care unit for many different reasons, and not all information collected about the registered person in the health care unit is necessarily relevant in terms of assessing the insurance company's responsibility when applying for insurance or when assessing the conditions for paying insurance compensation. The Data Protection Commissioner considers that it would be contrary to the principle of data minimization and the regulation on built-in and default data protection for the data controller to request access to all data collected by the health care unit about the data subject, for example copies of medical records and test results. This would lead to the fact that, by default, the controller would possibly handle information in the liability assessment process that is not relevant in terms of liability assessment and is therefore unnecessary in terms of the purpose of use of the data.

The reasonableness of personal data processing (Article 5, paragraph 1, subsection a of the General Data Protection Regulation) is a general principle that requires, among other things, that personal data may not be processed in a way that is unreasonably harmful to the data subject and that the processing of personal data must meet the data subject's reasonable expectations. The controller must respect the basic rights of the data subjects and implement appropriate measures to respect the rights. It is the responsibility of the controller to take into account what kind of processing is in line with the reasonable expectations of the data subjects. The Data Protection Commissioner considers that, due to the serious risk associated with health status data generated in healthcare units, an unnecessarily extensive processing of data by default would be unreasonable from the point of view of data subjects. It is not reasonable for the data controller to gain unnecessarily extensive or even unlimited access to the data subject's health information based on the responsibility assessment process. It is also not sufficient that the controller only assesses the necessity of the collected data after receiving the data and deletes the unnecessary health status data.

The Data Protection Commissioner considers that the obligation of the data controller to identify the request sent to the health care unit to a specific issue, disease or symptom does not reduce the data controller's right to obtain sufficient information about the health status of the data subject for the purpose of assessing the data controller's responsibility. It is possible for the registrar to request the necessary information for the assessment of the insurance company's liability directly from the registered person. In Section 22 of the Insurance Contracts Act, notification is a clear and explicit obligation. In addition, it is worth noting that if the policyholder or the insured discovers that they have provided incorrect or incomplete information to the insurer, the latter must also correct the information without undue delay. Sanctions have also been established for the policyholder's or the insured's failure to provide information. Accordingly, when applying for insurance compensation, the claimant has a clear obligation to provide the insurer with such documents and information as are necessary to ascertain the insurer's liability.

It is not acceptable that the controller's need to make sure that possible insurance fraud is excluded would enable the controller to have unrestricted access to the health data generated and collected in the registered healthcare units.

The Data Protection Commissioner also draws attention to the recommendation of the Finnish Medical Association on September 25, 2009 (revised on May 2, 2016) on the disclosure of patient data to insurance companies. The Finnish Medical Association recommends handing over information about the patient's state of health in the form of a statement, unless the procedure is otherwise provided for in special legislation. The Data Protection Commissioner also considers it justified that the information should be requested and disclosed primarily in the form of a statement. Such a method of operation is in accordance with the principle of minimizing personal data and protects the patient's privacy, for example, in a situation where the visit logs contain information other than what is clearly necessary for the assessment of the insurance company's liability.

Penalty assessment

In decision no. 4431/161/21, the Sanctions Board of the Office of the Data Protection Commissioner has imposed a penalty payment on the Finnish Transport Insurance Agency for violation of data protection regulations in the processing of patient document entries in connection with compensation cases. The Data Protection Commissioner also assesses the grounds for imposing an administrative fine on the data controller in accordance with Article 83 of the General Data Protection Regulation in the case currently being resolved.

In the case of a violation of the principles governing the processing of personal data (Article 5 of the General Data Protection Regulation), the administrative fine may be a maximum of 20,000,000 euros or, in the case of a company, four percent of the total annual global turnover of the previous financial year, whichever is greater. The imposition of an administrative fine must be evaluated in the light of the conditions according to Article 83, paragraph 2 of the General Data Protection Regulation. The article in question is specified in point 148 of the preamble of the regulation, according to which the supervisory authority should impose sanctions for violations of the provisions of the regulation, such as administrative fines, in addition to or instead of the appropriate measures it imposes. If it is a minor violation or if the imposed penalty would be an unreasonable burden on a natural person, a notice can be given instead of a penalty.

In the matter now being resolved, the controller has said, on the one hand, that if the controller decides to make a request for information to the healthcare unit, in some cases the controller identifies the request for additional information to be sent to the healthcare unit and determines the period of the requested information based on an expert's assessment. On the other hand, from the case brought to light by the data protection commissioner's office and from the report given by the data controller, it has become clear that the procedure used in the data controller's organization is to request the registered person's entire medical record for a specified period from the health care unit. The controller has also stated that, in its view, it has the right to receive the same information from the healthcare unit that the registered person would have the right to receive based on the right to inspect their own data in Article 15 of the General Data Protection Regulation, so that it can investigate whether the policyholders have provided correct and complete information about their health status in the health reports they filled out in connection with the insurance application. .

It is worth noting in the penalty assessment of the matter to be resolved now that the data controller has processed the health data of registrants in an unnecessarily extensive manner in those cases where the data controller has requested the entire medical record of the data subject for a certain period of time from the health care unit. According to the data protection commissioner's view, the processing operations have been contrary to the principle of data minimization and the regulation on built-in and default data protection, as the controller has not limited the amount of personal data collected only to what is necessary for the purpose. Since the question is about the health status data of registered persons formed in healthcare units belonging to special personal data groups, the processing has been apt to cause an unjustified high risk to the protection of private life of registered persons. For this reason, the penalty assessment must also take into account that the processing has not been reasonable towards the data subjects.

On the other hand, in the penalty assessment, it must be noted that, according to the data controller's report, in some cases the data controller identifies the request for additional information sent to the health care unit, although the data controller has not determined in more detail how much of these requests have actually been sent to the health care units as individualized for a certain disease or topic.

In the decision of the data protection authorized office, dnro 4431/161/21, the right of access to information has been assessed based on Section 82 of the Motor Insurance Act (460/2016). In accordance with Section 82, subsection 3 of the Motor Insurance Act, the insurance company's right to access information requires that the information is necessary for the resolution of the insurance or compensation case under consideration, or otherwise necessary for the performance of the duties stipulated in this Act. Pursuant to Section 22 of the Insurance Contracts Act, the disclosure obligation applies to information that may be relevant in terms of assessing the insurer's liability. Pursuant to Section 69 of the Insurance Contracts Act, the claimant must provide the insurer with such documents and information as are necessary to ascertain the insurer's liability. It has been established in the legal literature that the matters inquired by the insurance company must, based on experience, be closely related to the insurer's risk assessment. In the same context, it has been established that such information, which is not relevant in isolation, can together form a whole that is relevant for risk assessment.

Based on the above, the wording of the Insurance Contracts Act can be estimated to leave more room for interpretation than the Motor Insurance Act. Despite this, according to the Data Protection Commissioner's opinion, it is obvious that the Insurance Contracts Act does not allow the insurance company unrestricted access to patient data due to the investigation of the insurance company's liability, and it is not possible under the Insurance Contracts Act to assess that a procedure is acceptable in which the insurance company requests the entire medical record registered from the health care unit for a period of time. Based on the regulation of the Insurance Contracts Act, the registered person has a justified reason to expect that the insurance company will only process the health status data of the registered person that is necessary and limited for the insurance matter. Taking into account the significant risk to the protection of patient privacy related to the processing of patient documents created in healthcare units, the registrar's method of requesting the entire medical record from a certain time period has been reprehensible. Even though the controller's method of operation is reprehensible, the data protection commissioner takes into account in the penalty assessment that the Insurance Contracts Act does not set as high necessity criteria for accessing data as the Motor Insurance Act.

In the penalty assessment, it must also be taken into account that the data protection commissioner has no information about the data controller's previous similar violations in addition to the case mentioned in this decision.

On the basis of the above, based on the overall assessment, in this case, according to the data protection commissioner's view, it is most appropriate to primarily strive to change the operation of the data controller to comply with the law. Therefore, the Data Protection Commissioner considers the remark in Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation to be a more proportionate sanction than the penalty payment in the case that is now being resolved.

Applicable legal provisions

General Data Protection Regulation
Article 5(1)(a), (b) and (c).

Article 7
Article 9

Article 25 paragraph 2

Article 58

Article 83

Data Protection Act

Section 6 subsection 1 paragraph 1
Insurance Contract Act
Section 1, Section 2, Section 22, Section 37 and Section 69

The law regarding the status and rights of a patient

Section 12 and Section 13

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision is not legally binding.