Tietosuojavaltuutetun toimisto (Finland) - 8979/162/21
From GDPRhub
| Tietosuojavaltuutetun toimisto - 8979/162/21 | |
|---|---|
 | |
| Authority: | Tietosuojavaltuutetun toimisto (Finland) |
| Jurisdiction: | Finland |
| Relevant Law: | Article 4(2) GDPR Article 6(1) GDPR Article 10 GDPR Article 58(2)(b) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 13.12.2021 |
| Decided: | 18.03.2022 |
| Published: | 18.03.2022 |
| Fine: | n/a |
| Parties: | City of Oulu |
| National Case Number/Name: | 8979/162/21 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Finnish |
| Original Source: | Finlex (in FI) |
| Initial Contributor: | fred |
The Finnish DPA found the social and health authority of a city to have breached Article 6(1) GDPR and Article 10 GDPR by requesting data subjects to provide it with personal data that it had no legal basis for processing.
English Summary
Facts
The Finnish DPA was notified that the social and health authority of the city of Oulu (the controller) had required persons applying to become foster parents to request access to their personal data processed by the police and to provide this information to the controller.
The DPA had asked the controller to explain for what purpose it processed the personal data and why it required the data subjects to provide this information.
In response to the request, the controller clarified that the information received from the police was required in the process of approving applicants as foster parents. The controller had to ensure that the conditions at the foster home were safe and stable and that the children placed in foster care received better care than at home. The controller claimed that the information about, among other things, domestic violence and disruptive behaviour was necessary because it hindered working as a foster parent.
The controller stated that the police did not disclose the information based solely on the consent of the data subject. For this reason, it had become a practice to request the information directly from persons applying to become foster parents.
Holding
On the basis of the information provided by the controller, the DPA considered that the processing of personal data in accordance with Article 4(2) GDPR also covers situations where the controller requires the data subject to disclose documents containing personal data and where the controller reviews them.
The DPA stated that the objective of the right of access is the opportunity of the data subject to stay informed about the lawfulness of the processing and to confirm it. The DPA emphasised that public authorities may not require the data subject to provide them with information based on the data subject's access request, and thus may not use the right of access as a means of obtaining information.
On the basis of the information gathered, the DPA held that the controller had violated Article 6(1) GDPR and Article 10 GDPR by requiring foster parent applicants to exercise their right of access, as it had no legal basis to process the personal data in question. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR.
Comment
The Finnish DPA has issued similar decisions in cases 6689/186/20 and 8979/162/21 concerning different cities.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Decision of the Deputy Data Protection Commissioner Thing Exercising the registered right of inspection at the request of the controller regarding the processing of police personal data Initiator Own initiative of the Office of the Data Protection Commissioner Registrar City of Oulu, social and health services The processing of personal data in question According to the information received from the police by the Office of the Data Protection Commissioner, the police have received numerous requests regarding the data subject's right of inspection in accordance with Section 23 of the law on the processing of personal data in criminal matters and in connection with the maintenance of national security (1054/2018, hereinafter the Data Protection Act in Criminal Matters), where the data subject has used the right of inspection at the request of the controller. According to the information received from the police, apparently the social and health services of the data controller have required persons applying for support family or foster family activities to use the registered person's right of inspection regarding the processing of personal data by the police and submit the answer they received for the data controller to see Statement received from the registrar Pursuant to Article 58(1) of the Data Protection Regulation (EU) 2016/679 and Section 18 of the Data Protection Act (1050/2018), the Office of the Data Protection Commissioner has requested an explanation from the data controller with the following questions. The report on the welfare services of the city of Oulu has been received on 13 December 2021. The report was given by the social director. In response to the questions asked in the clarification request, the controller stated the following: 1. Has the social services of the city of Oulu required, for example, persons applying for foster or support family activities to submit to the social services of the city of Oulu based on exercising the right of inspection? Yes. The issue is related to the approval process for family caregivers. According to Section 6 of the Family Care Act, a person who, based on their education, experience or personal characteristics, is suitable to provide family care can be accepted as a family carer. Before entering into an assignment contract, a person who intends to become a family caregiver must complete the preliminary training required for the task. The Family Nursing Act or elsewhere does not provide for record keeping or the authorities' right to receive information regarding persons who apply and are accepted as family caregivers. Basically, child protection, like other social care authorities, has a very wide right to access information in customer matters from other authorities, such as the police, pursuant to Section 20 of the Social Care Customer Act when it is necessary to organize social care. Since the family caregiver is not a client of social care and no client has been placed with her during the application phase, the applicability of the Social Care Client Act and its provision entitling to access to information is unclear, and the City of Oulu is aware that some municipalities have deemed it applicable to those applying to become family caregivers as well. Unlike the Family Care Act, the Adoption Act has a separate provision on the applicability of the Social Care Customer Act to the recipient of adoption counseling (Adoption Act § 96). According to the child protection authorities, it would be necessary to add a similar reference, which explicitly states that the Client Act is applicable to a person applying to become a family caregiver or who is undergoing preliminary training, also in the Family Care Act. Children placed by child protection are children in a particularly vulnerable position and in need of support, often traumatized, whose care and upbringing by a family nurse is a public administrative task. When weighing the effects of different measures on the rights of individuals, child welfare authorities must primarily consider the child's best interests. For the reasons mentioned above, the child welfare authorities must ensure that the conditions at the family caregiver's place are safe and stable and that the children placed in foster care receive better care than at home. The child welfare authorities have considered it necessary to make sure that a person is suitable as a family caregiver even before children are placed with him. From the point of view of the child protection authorities, the information that appears from the criminal records of those who work with children alone has not been sufficient to ensure suitability for the role of a family caregiver. For example, home alarms due to intoxication or domestic violence or other disruptive behavior that appear in the police's data are necessary information, because they can be an obstacle to working as a family caregiver. As stated, the applicability of Section 20 of the Customer Act when a person applies to become a family caregiver and has not yet been placed with children is unclear nationwide. In Oulu, it has been interpreted so that the Social Care Client Act does not apply to a person applying to be a family caregiver during the training/acceptance phase, when there is no client placed with him. Consequently, the only option left is to request information with the consent of the person applying to be a family caregiver or to request information from the person applying to be a family caregiver. According to the information received from the police, information or a statement cannot be handed over to the authority solely based on the person's consent. For this reason, it has become a practice to request police information to be seen directly from the applicants themselves. The city of Oulu's own family caregivers are only people approved as family caregivers, for whom the procedure is described above. Other support family and support person activities There is a shopping service in Oulu. Regarding the shopping service, the city has not made an assessment of the person's suitability as a support family or support person, but the suitability assessment has been made by a private service provider. 2. If the social services of the city of Oulu have operated as described in the 1st question, then who or which institution has decided on the introduction of the procedure and by whom and how has the procedure been instructed? Checking police records for those applying to become family caregivers has been a practice for a long time, and it is not known that it was actually decided or discussed in the municipal institution. 3. If the social services of the city of Oulu have operated as described in question 1, how has the received data been processed (who has been able to process the data, has it been stored on a platform and how long is the data stored)? Police information, as well as other information requested from those applying to become family caregivers, have been processed in the city of Oulu only by certain designated officials and employees in the foster care support unit, whose tasks include the approval of family caregivers. The police data has not been received, collected or stored in the information systems of the child protection authorities, but the system only contains an indication of the data inspection date and the inspector. 4. If the social services of the city of Oulu have operated as described in the 1st question, does it still intend to continue the operation in question? After the request for information from the Data Protection Commissioner, the City of Oulu has become aware of the decision of the Data Protection Commissioner regarding the procedure of the City of Helsinki on January 15, 2021 (6689/186/20), against which the City of Helsinki has appealed. Since the status of the case is unclear, the child protection authorities of the city of Oulu have no longer requested police information from those applying to become family caregivers. However, from the point of view of the child welfare authorities of the city of Oulu, it is risky that the police information could not be checked under any circumstances for those applying to become a family caregiver or support family. From the point of view of the child welfare authorities of the city of Oulu, the legislation should add articles regarding the registration of data of those intending to become family caregivers and family caregivers, and regarding the checking of information, a reference to the applicability of Section 20 of the Social Care Customer Act to the assessment of the suitability of those who intend to become family caregivers. This would make it possible to request information already at the stage when a person applies to become a family caregiver or support family and the authority considers that requesting certain information is necessary to assess the person's suitability and safeguard the child's interests. Those who apply and are accepted as family caregivers must be registered in the authority's personal register. This data registration, as well as the right to receive information about a person applying to be a family caregiver, currently has to be based on consent in the absence of a law, which is not appropriate from the point of view of the child protection authorities, taking into account the principles of the EU data protection regulation, according to which the collection of personal data by the authorities should primarily be based on the law. It would be desirable that the legislation be clarified in this regard quickly. Applicable regulations and evaluation of the case The registrar has implemented a procedure in which persons who wish to become family caregivers must use the registered person's right of inspection provided for in Section 23 of the Criminal Data Protection Act regarding the processing of personal data by the police and present the personal data obtained based on the right of inspection to a representative of the registrar. Family care refers to family care according to Section 3 of the Family Care Act (263/2015). The processing of personal data is defined in Chapter 1, Article 4, Section 2 of the Data Protection Regulation, the processing of personal data is also the fact that the controller requires the registrant to present documents containing personal data and check them. According to Article 10 of the Data Protection Regulation, the processing of personal data related to criminal convictions and crimes or related security measures based on Article 6, paragraph 1, is only carried out under the supervision of an authority or when it is permitted by Union law or the legislation of a Member State, which provides for appropriate safeguards to protect the rights and freedoms of the data subject. A comprehensive criminal record is only kept under the supervision of a public authority. The Data Protection Regulation is directly applicable legislation in the member states. However, Article 6(2) of the Data Protection Regulation enables more detailed regulations to be issued to adapt the provisions of the Regulation when the processing of personal data is necessary to comply with the controller's statutory obligation (Article 6(1)(c)) or to perform a task in the public interest or to exercise public authority vested in the controller (Article 6(1) paragraph e). Article 6, paragraph 3 of the Data Protection Regulation requires that the basis for the processing of personal data is regulated in these situations in Union law or in the legislation of the Member State applicable to the data controller. Such legislation may contain provisions on, among other things, the type of data to be processed, the persons registered, the parties to whom and the purposes for which personal data may be disclosed. In Finnish national legislation, there is a regulation referred to in Article 10 of the Data Protection Regulation, which concerns the processing of personal data related to criminal convictions and crimes in the case of family caregivers. The law on checking the criminal background of people working with children (504/2002) applies to checking the criminal background of family caregivers, in accordance with section 2, subsection 1, point 3 of this law. The legislation has thus created a proportionate and appropriate procedure for checking the criminal background of those working with children. The goal of the registered right of inspection is that the registered person has the opportunity to use this right so that he can himself stay informed about the legality of the processing and check it. The authority cannot require the registered person to provide information obtained based on the use of the registered person's inspection right, and thus cannot use the registered person's inspection right as a tool for the authority's information acquisition. Even if, according to the controller's opinion, the acquisition of more extensive data and the processing of personal data would be justified, the controller cannot introduce additional illegal procedures in addition to the procedure stipulated in the law. Regarding the conditions for the processing of personal data in official duties, Article 6, Clause 1, subsections c and e of the Data Protection Regulation and the national regulations issued based on them are followed. With regard to criminal convictions and crimes or security measures related to them, the regulations regarding the authority's activities must meet the requirements set out in Article 10 of the Data Protection Regulation. By requiring that aspiring family caregivers must use the right of inspection in accordance with Section 23 of the Criminal Data Protection Act, and when processing personal data obtained on the basis of the right of inspection, the controller has acted contrary to the provisions of Article 6(1) and Article 10 of the Data Protection Regulation, as it has not had a legal basis for the processing of the personal data in question. Note from the Deputy Data Protection Commissioner I give the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the Data Protection Regulation, because the personal data processing operations of the data controller, as described above, have been in violation of Article 6, Paragraph 1 and Article 10 of the Data Protection Regulation. The registrar has announced that it will not continue the activity in question. Supervision of the deputy data protection officer According to the registrar's report, there is no provision in the Family Care Act or elsewhere for the keeping of records or the authorities' right to receive information regarding persons who apply and are accepted as family caregivers. As a guide, I state that the criminal background check of family caregivers is subject to the Act on investigating the criminal background of those working with children (504/2002), in accordance with section 2, subsection 1, point 3 of this law (section 5 above).
