Tietosuojavaltuutetun toimisto (Finland) - 6745/163/18

From GDPRhub
Tietosuojavaltuutetun toimisto (Finland) - 6745/163/18
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1) GDPR
Article 9(2)(g) GDPR
Article 58(2)(d) GDPR
Finnish Patient Documentation Decree
Finnish Patients Act
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.10.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 6745/163/18
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finnish DPA (in FI)
Initial Contributor: Florence D'Ath

The Finnish DPA found that national legislation on patient data, read together with the GDPR, does not allow the processing of patient data for the professional development of healthcare professionals.

English Summary[edit | edit source]

Facts[edit | edit source]

A healthcare organization had put a system in place whereby personal data relating to patients were kept for a period of 3 months after treatment of the patients, so that the healthcare professionals who had treated the patients in question could analyze the results and gain experience from it. The health data of identified patients was therefore kept and processed for the purpose of the professional development of healthcare professionals.

Having been informed about the situation, the Finnish DPA decided to analyse whether the GDPR, read in combination with the relevant national law on patients rights, would allow the processing of patient data for the purpose of the professional development of a healthcare professional.

Holding[edit | edit source]

After analyzing the relevant provisions of national law, including the Act on the Status and Rights of Patients 1992/785 (hereafter, the Patients Act), the Finnish DPA found that the processing of patient data is normally allowed for primary use only. This primary use must involve 'patient care', such as when a healthcare professional is processing patient data for the treatment of the patient in question, or for related tasks. The Finnish DPA found however that the processing of patient data for the purpose of the professional development of healthcare professionals cannot be considered as 'patient care' within the meaning of the Patients Act. Neither can it be considered as a task related to patient care, since the healthcare professional would use the data for his/her own development, but would not in any way determine, restore or maintain the health of the patient in question.

The Finnish DPA also considered the fact that, according to Article 9(2)(g) GDPR, the processing of health data is allowed when "necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject". Section 39 of the Finnish Secondary Patient Act further provides that personal data of identified patients can be used for teaching purpose, but only if the teaching cannot be carried out anonymously due to the rarity of the case, the nature of the teaching or any other similar reason. In this case however, the Finnish DPA found that there was a difference between teaching and professional development, and that the controller had not indicated the reason why it was necessary for the patients to still be identified.

For the reasons stated above, the Finnish DPA considered that the legislation on patient data does not allow the processing of patient data for the professional development of healthcare professionals. The Finnish DPA therefore instructed the controller in accordance with Article 58(2)(d) GDPR to bring the processing operations in line with the rules on the processing of patient data. In particular, the Finnish DPA decided that the controller should evaluate its patient data processing practices in relation to the applicable rules, and assess whether the processing of patient data for the professional development of healthcare professionals can be carried out in any other way that would be possible under existing legislation.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Processing of patient data for professional development after the end of the care relationship
    Thing
    Processing of patient data for the purpose of professional development of healthcare professionals.
    Description of the case
    The Office of the Data Protection Officer has been informed that the data controller 's security test states "I can look at the data of the patient I treat afterwards in order to get feedback on the results of my work (learning purpose)". The correct answer to the statement in the test was "for 3 months after the patient has been treated in my work unit." The correct answer was specified as follows: "The professional caring for the patient may find out about the patient's follow-up care or stages of development in order to develop their own skills.
    Statement received from the controller
    The controller has been asked to explain on what basis the above-described approach to the processing of patient data is based on the purpose of professional development.
    In his report dated 21 May 2021 (received on 24 May 2021), the Chief Medical Officer of the Registrar refers to the report of the Chief Information Officer B, which is described in the relevant parts below.
    According to the registrar's report, this is the exam material for the online course on data security and data protection published in 2017. The registrar's instructions for processing patient data state that “The professional who cared for the patient may find out about the patient's further treatment or stages of treatment in order to develop their own competence when it comes to the consequences of their own treatment solutions or treatment. In practice, the right lasts for the duration of the technically inferred context of the information system (= 3 months). ' According to the registrar's report, the three-month time limit of the guideline is related to the national specifications prepared by the National Institute for Health and Welfare and the technical implementation of the patient information system, where the patient information system requires the user to indicate a special reason If an employee accesses patient data from the system after the three-month time limit has expired, the employee must provide a specific reason for processing the data. Practices for the use of special causes are instructed separately. The controller has not refused to process the data for the purpose for which the request for clarification is made after the three-month time limit, but then the instructions for the specific reason are followed. In practice, the right to a hearing is considerably more limited after the three-month time limit.
    The controller considers it necessary for the healthcare professional to receive feedback, as appropriate, on the consequences of his treatment decisions and the correctness of diagnoses for professional development purposes, in order to fulfill his duty to provide the best possible care for his patients and maintain a high level of patient safety. The high level of professional competence of healthcare professionals is an important part of quality medical care. It is very difficult for a professional to maintain the level adequately if he or she does not have the opportunity to monitor the follow-up of the patients he or she is treating and return to their information in a justified situation.
    In his report, the controller points out that the guidelines have been subject to the EDPS '2011 decision, according to which professionals responsible for treatment decisions or procedures may check the follow-up of a patient in order to determine the correctness of the diagnosis and related treatment for professional development.
    Furthermore, according to the data controller's report, the processing of patient data for the purpose of professional development is limited to those situations in which the professional has made a treatment decision or carried out the treatment himself or herself. The right does not extend to those workers who have taken part in the treatment or organization of treatment and who have not made any actual treatment decisions, as the processing of patient data at the end of the treatment relationship is not justified for them. As the processing of patient data as a follow-up to follow-up care only concerns patients with whom the professional has had a treatment relationship, the follow-up of follow-up care from the registrar's patient record reveals only limited new information. In addition, healthcare professionals are bound by a statutory duty of confidentiality and the duty continues even if the patient has transferred to another treatment unit for further treatment. If a healthcare professional exercises the right to monitor the patient's follow-up care, the exercise of the right must be justified retrospectively and the processing will always be traced in the patient information system's usage log. When follow-up treatment is performed shortly after the end of treatment, the context for the patient can be easily verified on the basis of log entries in the context of log monitoring and clearing. For this reason, the treatment is mainly limited to a period of three months from the end of the treatment period.
    Legal issue
    The Assistant Data Protection Supervisor will assess whether the legislation on the processing of patient data allows the processing of patient data for the purpose of the professional development of a healthcare professional, as described by the controller.
    Furthermore, the Assistant EDPS will assess whether the remedial powers defined in Article 58 (2) of the General Data Protection Regulation should be exercised.
    Decision and reasons of the Assistant Data Protection Supervisor
    The processing of patient documents is regulated by e.g. Act on the Status and Rights of Patients 1992/785, Patients Act) and the Patient Documents Decree (Decree of the Ministry of Social Affairs and Health on Patient Documents, 2009/298). The processing of patient data is also subject to the General Data Protection Regulation (EU) 2016/679 (hereinafter TSA), which is supplemented and clarified by the Data Protection Act (2018/1050). In addition, the Act on the Secondary Use of Social and Health Information (552/2019, hereinafter the Secondary Act) additionally provides for the secondary processing of personal data stored in social and health care activities. Furthermore, other legislation also provides for situations in which it is possible to process patient data.
    Article 5 (1) (b) of the TSA lays down the principle of purpose limitation, according to which personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. The national regulatory margin available to the TSA allows the processing of personal data to be specified at national level in certain situations. Where such legislation provides for the purposes of the processing of personal data, operators must comply with that regulation.
    Scope of patient data
    The purpose of the use of patient data, derived from section 12 (1) of the Patients Act, is to secure the organization, planning, implementation and monitoring of patient care. According to section 2 (2) of the Patients Act, patient (health and sick) care means a patient
      measures taken to determine the state of health or to restore or maintain his health, which are carried out by health care professionals or carried out in a health care unit. According to section 2 (5) of the Patients 'Act, patients' documents refer to documents or technical records used, prepared or received in the organization and implementation of a patient's care, which contain information concerning his or her state of health or other personal information.
    
    In addition to the restriction of the intended use, the possibilities for processing patient data are further narrowed by the restriction provided in section 13 of the Patients Act on the persons who may process patient data. According to the law, the information contained in patient records is confidential. A healthcare professional or other person working in or performing the tasks of a healthcare functional unit may not provide the information contained in the patient's records to a third party without the written consent of the patient. Bystander means a person other than those involved in the care of a patient or related tasks in or on behalf of the relevant functional unit. Tasks related to patient care are not defined in more detail in the law or in the preliminary work of the law (as also stated by the KKO in case 2014: 86, paragraph 14). Section 13 (3) of the Patients Act defines the situations in which information may be provided without prejudice to subsection (2) of the provision.
    Similarly, Article 4 of the Patient Documentation Decree must be taken into account when determining the scope of use of patient data, according to which participants in patient care or related tasks may process patient records only to the extent required by their duties and responsibilities.
    
    In summary, it can be stated that the processing of patient data in the so-called according to the primary use, this is the case where a healthcare professional is involved in the processing of patient data for the treatment or related tasks of the patient in question. If this condition is met, the healthcare professional may process patient records only for the purpose for which the patient data were collected and only to the extent required by his or her duties and responsibilities in the healthcare unit (as also stated by KKO in case 2014: 86, paragraph 10. Similarly, EOA in case 3491/4 / 15, p. 3).
    Professional development and use of patient data
    The Assistant EDPS must assess whether the processing of patient data for the purposes of professional development can be considered to be included in the so-called patient data processing system described above. in the field of primary use.
    According to the registrar's report, the processing of patient data for the purpose of professional development includes the monitoring of patient care for the purpose of learning. The registrar states that the purpose is limited to those situations in which the professional has made a treatment decision or carried out the treatment himself. The right to process patient data for that purpose does not extend to those workers who have taken part in the treatment or organization of the treatment and who have not made any actual treatment decisions. In his report, the registrar points out that the processing of patient data for the purpose of professional development is also carried out after the end of the treatment relationship, for example when the patient moves to another treatment unit. In addition, according to the registrar, the policy reveals only limited new information about the patient registry data.
    The purpose described by the controller remains quite distant from the original purpose of the patient data. This interpretation is also supported by the controller 's statement that the processing of patient data for the purpose of professional development does not require a valid care relationship. Given that the use is, as described above, quite closely linked in law to the care of the patient in question, it is difficult to see that the conditions for lawful use of patient data are met even if the professional development is limited to situations where the professional has previously made a care decision . The processing of patient data for the purpose of professional development cannot be considered as patient care within the meaning of the Patients Act, nor is it a task related to patient care. It is not a question of monitoring the care of a patient within the meaning of the Patients' Act when the health care professional does not in any way determine, restore or maintain the state of health of the patient in question or take measures related thereto.
    Other regulations on the processing of patient data
    As the purpose of the use of patient data and the persons authorized to process it is defined by the legislation rather precisely, and the processing currently under assessment is not possible within that purpose and the scope of the data subjects, it is necessary to assess whether the processing of patient data as described by the controller is
    The Secondary Act provides for the secondary uses of patient data, which are listed in section 2 of the Act. Of these, the purpose of teaching related to this matter, which is provided for in section 39 of the Secondary Act, should be mentioned. The purpose of teaching has a similar purpose to the purpose of professional development of health care personnel referred to in this case. The aim of the provision is e.g. ensuring the competence of healthcare personnel and ensuring good care and patient safety (HE 159/2017 vp, pp. 127–130). The provision applies to the teaching of both staff and students.
    According to Section 39 of the Secondary Act, the customer data of a healthcare provider may be processed without prejudice to confidentiality obligations and pursuant to Article 9 (2) (g) of the Data Protection Regulation for the production of educational materials
      the teaching of social and health care customer data staff and students studying to become social and health care professionals, if this is necessary to achieve the purpose of the teaching.
      It is also a condition that the processing has been granted an information permit. However, identifiable information may only be used in teaching situations if the teaching cannot be carried out due to the rarity of the case being treated as anonymous, the nature of the teaching or any other similar reason. The person providing the instruction shall inform the persons following the instruction of the obligation of secrecy provided by law and of the sanctions following the violation thereof.
    The purpose of teaching in accordance with section 39 of the Secondary Act and the purpose of professional development to be assessed in this case are similar in themselves. In both cases, it is a question of developing the competence of a health care professional and thereby ensuring good care. However, the data controller's report does not state that it is a matter of processing patient data in accordance with the conditions provided for in section 39 of the Secondary Act. The means put forward by the registrar in achieving the intended use differ substantially from the conditions provided for in section 39 of the Secondary Act. It is therefore not a question of processing in accordance with the conditions of section 39 of the Secondary Act. Teaching in accordance with section 39 of the Secondary Act is, for example, an activity subject to information. In addition, identifying information may only be used for educational purposes if the teaching cannot be carried out due to the rarity of the case being treated as anonymous, the nature of the teaching or any other similar reason. In this case, the controller has not indicated that the development of professional activities would be carried out in a manner similar to that provided for in the Secondary Act, such as on the basis of a data permit and, if necessary, with unidentified data.
    It should also be noted that according to Section 13 (3) (2) of the Patients Act, “information necessary for organizing the examination and treatment of a patient may be provided to another healthcare unit or healthcare professional and a summary of the treatment provided to the referring healthcare unit or or with the oral consent of his or her legal representative or with the consent otherwise expressed in the context '. The explanatory memorandum states that, in order to facilitate the provision of care feedback, care feedback could be provided to the referring healthcare unit or healthcare professional or at the said professional (HE 181/1999 vp. p. 12). According to the EDPS, the professional thus has the opportunity to be informed about the consequences of the treatment decisions and thus also for professional development after the end of the care relationship, as provided in Section 13 (3) (2) of the Patients Act.
    In its report, the controller has not indicated that the processing of patient data for the purpose of professional development would be based on the provisions of the Secondary Act or elsewhere on the processing of patient data. In the opinion of the Assistant Data Protection Supervisor, no grounds can be found in the legislation on the processing of patient data for the processing of patient data in the case under assessment.
    Order of the Assistant Data Protection Supervisor
    For the reasons set out above, the EDPS considers that the legislation on the processing of patient data does not allow the processing of patient data for the purpose of professional development of healthcare professionals, as has been done in the activities of the controller.
    The Assistant EDPS shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to amend the processing operations to comply with the rules on the processing of patient data. The controller should evaluate his / her patient data processing practices in relation to the above and assess whether the processing of patient data in support of the professional development of healthcare professionals can be carried out in any other way that would be possible under existing legislation.
    Exercise of other remedial powers
    The remedial powers available to the Office of the Data Protection Officer are set out in Article 58 (2) of the TSA. When assessing the lawfulness of the controller 's past conduct, in addition to the provision under subparagraph (d), the supervisor has a notice under subparagraph (b) if the processing operations were in violation of TSA regulations and a temporary or permanent restriction on processing under subparagraph (f). Since, according to section 24 (4) of the Data Protection Act, a penalty fee cannot be imposed on, inter alia, state or municipal authorities, a penalty fee could not be imposed in this case.
    The Assistant Data Protection Supervisor states that the purpose of the development of professional activities has a good purpose in itself. The registrar has not sought to obtain an economic benefit with instructions, for example. Monitoring patient care for the professional development of healthcare staff could, in general, improve the quality of care and improve patient safety when the healthcare professional is informed of the consequences of his or her treatment decisions and is able to apply the information to future patients. On the other hand, according to the controller, the processing brings only limited new information.
    The principle of self-determination laid down for the protection of the patient emphasizes voluntariness in applying for treatment or as a client, as well as in agreeing to various treatment or other measures. Self-determination refers to the patient's right to participate in decision-making about himself or herself. Patient data are collected in connection with the treatment given to the patient. Treatment is in principle voluntary. It is reasonable for the patient to expect that his or her patient data will be processed for his or her treatment, unless the legislation explicitly allows for another use and the patient is informed to the extent necessary.
    The consequences of the subsequent processing for the data subject can also be assessed in the case. The potential consequence of the treatment for an individual patient is the loss of confidentiality of highly personal and confidential information and the compromise of the relationship of trust between the patient and the healthcare professional who treated him or her if the patient did not understand that the patient's data would be processed for professional development. On the other hand, it is noteworthy that processing safeguards are likely to mitigate the potential consequences for the data subject. The safeguards raised by the registrar include, for example, the statutory duty of confidentiality of healthcare professionals and access control.
    In the assessment of the sanctions attached to the order, the EDPS has in particular taken into account that the controller has sought to comply with the EDPS's 2011 statement that professionals responsible for treatment decisions or interventions professional development. The EDPS notes that the revision of the statement at that time to be in line with this Decision is necessary because the legal environment for the processing of patient data has changed significantly since 2011, in particular with the application of the Secondary Act and the TSA. The legal situation regarding the regulation of patient data processing has been significantly clarified since the 2011 opinion.
    In this case, the EDPS does not consider it reasonable to use other remedies as defined in Article 58 (2) of the General Data Protection Regulation in addition to the provision described above.
    Applicable law
    Mentioned in the explanatory memorandum.
    Appeal
    According to section 25 of the Data Protection Act (1050/2018), the data controller may appeal against this decision by appealing to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019).