Tietosuojavaltuutetun toimisto (Finland) - 128/182/19

From GDPRhub
Tietosuojavaltuutetun toimisto - 128/182/19
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 9(1) GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Started: 13.04.2023
Decided: 04.12.2023
Published: 20.12.2023
Fine: n/a
Parties: Lääkärikeskus Gyneko Oy
National Case Number/Name: 128/182/19
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The Finnish DPA ordered a healthcare provider to reliably identify persons in its electronic healthcare appointment booking system. In its decision, the DPA stated that requesting a name and personal identity code is not enough to verify a person's identity.

English Summary

Facts

On 14 March 2023, the DPA requested the controller (Lääkärikeskus Gyneko Oy, a healthcare provider) to explain how its online appointment booking system worked. At the same time, the controller was notified of a previous decision by the DPA regarding electronic healthcare appointment booking systems concerning another healthcare provider.

In response to the request, the controller clarified that a person had to provide their name and personal identity code in order to book an appointment online. It also stated that no abuse of the system had been detected, and efforts had been made to detect possible misuse by monitoring the number of logins and failed login attempts. For the system, it would have also been possible to set a password, but the controller had not implemented such an arrangement.

Holding

To begin with, the DPA pointed out that only requesting a name and personal identity code when booking an appointment online does not verify the person's identity. The personal identity code is not intended to be used as a means of identification, like a password, but to distinguish one person from another.

The DPA acknowledged that using the personal identity code as a password is based on the assumption that the personal identity code is not known to third parties and that knowing the personal identity code is enough to verify the identity of the person. In reality, the DPA stressed that one's personal identification number is often known to several other people. Thus, the DPA considered that the controller's appointment booking system enabled an unknown third party to book an appointment if they knew the name and personal identity code of the data subject. Such misuse may cause a variety of damage to the data subject in the form of false invoices or identity theft.

In light of this, the DPA emphasised that information regarding healthcare appointments is health data according to Article 9(1) GDPR and must be protected with particular care. Thus, on the basis of the information gathered, the DPA held that the security level of personal data processing carried out by the controller could not be considered appropriate in accordance with Article 31(1)(b) GDPR and Article 32(2) GDPR.

Pursuant to Article 58(2)(d) GDPR, the DPA ordered the controller to identify data subjects in a reliable way, such as by implementing a password or switching to electronic identification in the appointment booking system.

Comment

The decision is in line with the amendment to the Finnish Data Protection Act that entered into force on 1 January 2024, according to which the personal identity code or a combination of personal identity code and the name of the data subject may not be used solely to establish the identity of the data subject on the basis of information or documents provided by them.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Deputy Data Protection Commissioner

Thing

Security of personal data processing in the healthcare appointment service.

Registrar

Healthcare provider

Case description

A case has been initiated at the Data Protection Commissioner's office regarding the security of personal data processing in the online appointment booking system of the registrar as stipulated in Article 32 of the General Data Protection Regulation ((EU) 2016/679).

Statement received from the registrar

The Office of the Data Protection Commissioner has requested an explanation from the data controller on 14 March 2023. In connection with the clarification request, the data protection commissioner's office has given the controller guidance on Article 32 of the General Data Protection Regulation. In the same context, the data controller has been notified of the deputy data protection commissioner's decision regarding the online appointment booking system of another healthcare data controller.

The registrar has responded to the clarification request on March 30, 2023. The registrar has stated that booking a new appointment in the registrar's online appointment booking system is made with a combination of first name, last name and social security number.

The registrar has stated that no misuse of the online appointment booking system has been detected. According to the controller, abuse has been detected by observing the number of logins and failed login attempts. The registrar has stated that logging into the online appointment booking system can be blocked, if necessary, based on the browser session and IP address. The registrar has stated that the use of the appointment can be prevented in individual cases.

The registrar has stated that it is possible to set a password for the online appointment booking system. However, the registrar has not enabled the password function. The controller has said that it will probably introduce strong electronic identification during 2024.

A legal issue

The issue to be resolved is whether the processing of personal data in the online appointment booking system maintained by the data controller has met the requirements set out in Article 32, paragraphs 1 and 2 of the General Data Protection Regulation ((EU) 2016/679) to the extent that booking an appointment for the data controller's health services has been possible using a combination of first name, last name and social security number.

If the answer to the above question is negative, the deputy data protection commissioner will consider whether it is necessary to use the corrective powers in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation.

Decision of the Deputy Data Protection Commissioner

The order brings processing operations into compliance with the General Data Protection Regulation

The Deputy Data Protection Commissioner gives the controller an order in accordance with Article 58, Section 2, Subsection d of the General Data Protection Regulation to bring the processing operations into compliance with the provisions of Article 32, Sections 1 and 2 of the General Data Protection Regulation.

The deputy data protection commissioner orders a report on the measures taken to be submitted to the data protection commissioner's office no later than six weeks after notification of the decision, unless the data controller applies for an amendment to this decision.

Reasons for the Deputy Data Protection Commissioner's decision

The registrar provides healthcare services in accordance with the Act on Private Healthcare (152/1990). The website of the registrar states that the registrar is Northern Finland's leading medical center specializing in gynecology. The website says that you can make an appointment for a variety of healthcare services, such as gynecology, psychiatry, mammography, cancer treatments and plastic surgery. According to the website, call requests, procedure appointments, pregnancy ultrasound examinations or other special examinations cannot be booked through the electronic online appointment booking service.

Logging into the electronic online appointment booking system of the registrar is carried out only with a combination of social security number and first and last name. The registrar does not recognize the identity of the person doing business online. The online appointment booking system also does not compare name and social security number, i.e. electronic appointment booking is possible without the name and social security number data belonging to the same person.

The Deputy Data Protection Commissioner considers that simply asking for the social security number and first and last name in connection with an online appointment does not verify identity in electronic transactions. The personal identification number is not intended to identify a person, but to distinguish persons from one another. The use of a personal identification number as information similar to a password is based on the assumption that the personal identification number is not known to outsiders and that knowing the personal identification number would thus verify the person's identity. In reality, however, the social security number is almost always known to several other people.

The primary use of the appointment information processed in healthcare is the organization of the patient's health services and the implementation of the patient's care. Health care appointment information is patient documents referred to in the Act on the Status and Rights of the Patient 1992/785, (Patient Act), and patient data referred to in the Act on the Electronic Processing of Customer Data in Social and Health Care (2021/784, Customer Data Act). Healthcare appointment information is included in special personal data groups according to Article 9 of the General Data Protection Regulation (EU) 2016/679.

In the introductory paragraph 35 of the Data Protection Regulation, personal data related to health is defined. According to the introductory paragraph in question, health-related personal data is all information that concerns the state of health of the data subject and reveals information about the data subject's former, current or future state of physical health or mental health. Information collected for obtaining health services or in connection with their provision is health information. In addition, the number, symbol or special identifier given to a natural person, with which he can be unequivocally identified in the scope of health care, is health-related information according to the introductory paragraph. Information about illnesses, injuries, risk of illness, background information or treatments given, as well as information about the physical or medical condition of the data subject, regardless of the source from which the information was obtained, are health-related information belonging to special personal data groups according to Article 9 of the General Data Protection Regulation.

In the organization of health care services, the responsibility and diligence of the registrar have been emphasized. Users of healthcare services may be registered persons in a weak position, who may not be able to assess the risks inherent in the electronic appointment booking service.

Logging in with the intention of cheating can be difficult to detect, because the electronic appointment maintained by the registrar does not use identification (weak or strong). Electronic login attempts could, for example, be distributed over a long period of time, to several destinations and to those coming from different IP addresses. When electronic appointment booking does not require weak or strong identification, booking an appointment is possible using another person's personal information. Appointments made without permission using another person's information are called as ghost appointments. For example, a ghost appointment made for the purpose of teasing can cause a variety of damage to the registered subject of the ghost appointment, such as resentment over the investigation of the matter, as well as financial damages (invoice resulting from the service). A person can become the target of identity theft if his personal identification number is used in accordance with the identification code of an act that qualifies as identity theft.

According to Section 17(1) of the Act on the Electronic Processing of Customer Data in Social and Health Care, i.e. the Customer Data Act (784/2021), the customer must be reliably identified in the electronic processing of customer data. In connection with remote services, at least strong identification is considered a reliable identification method according to the Licensing and Supervision Agency of the Social and Health Sector and the Center for Customer and Patient Safety. With strong electronic identification, you can verify your identity in electronic transactions.

Article 32 of the General Data Protection Regulation requires the data controller to implement technical and organizational measures that enable the data controller to ensure that the security of personal data processing corresponds to the risks to the rights and freedoms of data subjects arising from the processing of personal data. When assessing the appropriate level of security, the controller must pay attention, among other things, to the risks posed to data subjects by unauthorized disclosure or access to personal data (Article 32, paragraph 2 of the General Data Protection Regulation). The controller can try to reduce the risks, for example, by being able to guarantee the continuous confidentiality of the information systems and services used to process personal data (Article 32, paragraph 1, subparagraph b of the General Data Protection Regulation).

The Deputy Data Protection Commissioner considers that the level of security of personal data processing cannot be considered appropriate as referred to in Article 32, Paragraphs 1 and 2 of the General Data Protection Regulation with regard to the controller's online appointment booking system. Weaknesses in the online appointment booking system can be corrected, based on the report provided by the data controller, for example by introducing a password and/or switching to strong electronic identification in accordance with Section 2, subsection 1 of the Act on Strong Electronic Identification and Electronic Trust Services (2009/617).

On the grounds mentioned above, the Deputy Data Protection Commissioner gives the controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities in accordance with the provisions of Article 32, paragraphs 1 and 2 of the General Data Protection Regulation. In the future, the controller must identify the user of the online appointment booking system in a reliable way so that the requirements of Article 32, paragraphs 1 and 2 of the General Data Protection Regulation are met. The deputy data protection commissioner orders a report on the measures taken to be submitted to the data protection commissioner's office no later than six weeks after notification of the decision, unless the data controller applies for an amendment to this decision.

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with Section 60 of the Administrative Act (434/2003) by mail against receipt.

The decision was made by Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa.

The decision is not yet legally binding.