Tietosuojavaltuutetun toimisto (Finland) - TSV/29/2020

From GDPRhub
Revision as of 08:54, 3 April 2024 by Mg (talk | contribs) (→‎Holding)
Tietosuojavaltuutetun toimisto - TSV/29/2020
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(c) GDPR
Article 25(2) GDPR
Article 58(2)(d) GDPR
Article 87 GDPR
§ 29(4) Data Protection Act
Type: Investigation
Outcome: Violation Found
Started: 27.01.2020
Decided: 12.03.2024
Published: 27.03.2024
Fine: n/a
Parties: n/a
National Case Number/Name: TSV/29/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA found a hospital to have breached the principle of data minimisation by including unique and virtually permanent identification numbers in text messages sent to patients.

English Summary

Facts

The Finnish DPA was notified that a hospital had sent test results to its patients by SMS, including the patient's personal identification number. The DPA then asked the controller to explain the purpose of including personal identification numbers in text messages.

In response to the request, the controller clarified that its mobile service automatically sent test results, treatment instructions and a proposal for the next monitoring date to patients via SMS, for example, as follows: “[Patient ID]: [Test X] score is [Y] and everything is fine. Your next checkup is on [date]”. The controller stated that the inclusion of the personal identification number in the SMS ensured that the patient information was not inadvertently disclosed to the wrong persons with the same name.

The controller considered that the risk related to the processing of the personal identification code was minimal when the personal identification code was sent as an SMS to the patient's mobile phone. The controller claimed that if the SMS was sent to the wrong person, the risks to the life and health of the data subject could be significant.

Holding

On the basis of the information provided by the controller, the DPA noted that the purpose of Section 29 of the Finnish Data Protection Act is to protect the personal identification number and to prevent its unnecessary processing. In addition, according to Section 29(4) of the Finnish Data Protection Act, the personal identification number should not be unnecessarily included in documents printed or created on the basis of a filing system. The DPA was of the opinion that SMS should be considered as such a document.

The DPA emphasised that, in accordance with Article 87 GDPR, the national identification number shall be used only under appropriate safeguards for the rights and freedoms of the data subject. The DPA noted that the personal identification number is a unique and virtually permanent identifier, the access to which by third parties may cause significant harm to the data subject, such as identity theft. Furthermore, the SMS messaging system does not provide for the encryption of message content or traffic data.

In light of this, the DPA considered that the inclusion of the personal identification number in the SMS does not in fact guarantee that the SMS is addressed to the right person. The DPA stated that the controller should not process personal identification numbers for the sole purpose of facilitating its operations. Therefore, the controller should not have unnecessarily included the personal identity number in the SMS.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(c) GDPR, Article 25(2) GDPR and Section 29(4) of the Finnish Data Protection Act. As a result, and in accordance with Article 58(2)(d) GDPR, the DPA ordered the controller to bring its processing operations into compliance with the aforementioned provisions.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Thing

Sending personal ID and laboratory test data to the patient via text message
Registrar

Welfare district (At the time the matter was initiated, the hospital district was the data controller. From January 1, 2023, responsibility for the register has been transferred from the hospital district to the welfare district.)
Notification made to the office of the Data Protection Commissioner

The person who contacted the Data Protection Commissioner's office on January 27, 2020 stated in his report that he had received a text message from the central hospital that started with his personal identification number and in which he was told that his PSA sample had failed. The text message asked to contact the laboratory.

The initiator inquires about the compliance of the operating method with data protection legislation.
Statement received from the registrar

The Office of the Data Protection Commissioner has requested an explanation from the data controller with an explanation request dated August 2, 2022. On August 23, 2022, the registrar has issued a written statement on the matter.

The controller has presented in his report that the inclusion of the personal identification number in text messages ensures that, for example, information is not accidentally directed to wrong persons with the same name.

According to the registrar, the mobile service automatically sends the patient a text message with the value measured in the test, treatment instructions and a proposal for the next control day. The contents of automatic text messages can be, for example, the following:

“[Patient ID]: [Test X] score is [Y] and everything is fine. Your next checkup is on [date]”

“[Patient ID]: The value of [Test X] is [Y]. To check the situation, please contact us"

According to the registrar, in a service where the personal identification number is transmitted as a text message to the patient's own mobile phone, the risk related to the processing of the personal identification number is estimated to be low. On the other hand, in a situation where a message after a laboratory test is targeted to the wrong person, the risks to the registered person's life and health can be considerably high.
On applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) and the specifying national data protection act (1050/2018) apply in this case.

Article 5(1)(c) of the General Data Protection Regulation provides for the principle of data minimization. According to the article, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which they are processed.

Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks to the rights and freedoms of natural persons caused by the processing, the controller must, in connection with determining the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to paragraph 2 of the article, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability. With the help of these measures, it must be ensured in particular that personal data is not, by default, made available to an unlimited number of people without the contribution of a natural person.

Article 32 of the General Data Protection Regulation provides for the security of processing. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in their probability and severity, the controller and the personal data processor must implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk. According to paragraph 2 of the article, when assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data.

Article 87 of the General Data Protection Regulation provides for the handling of the national identity number. According to the article, member states can define in more detail the special conditions for processing a national identity number or other general identifier. In this case, the national identity number or other general identifier must be used only in compliance with appropriate safeguards regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation.

At the time of the event of the matter to be resolved, Section 29 of the Data Protection Act provides for the processing of personal identification numbers as follows: According to Section 29, subsection 1, personal identification numbers may be processed with the consent of the data subject or, if the processing is stipulated by law. In addition, the personal identification number may be processed if unambiguous identification of the registered person is important: 1) in order to perform a task stipulated by law; 2) to implement the rights and obligations of the registered or data controller; or 3) for historical or scientific research or statistics. According to section 29 subsection 2 of the Data Protection Act, the personal identification number may be processed in the granting of credit or debt collection, insurance, credit institution, payment service, rental and lending activities, credit information activities, health care, social care and other social security or official, employment and other service relationships and related to them in matters concerning related interests. According to section 29 subsection 4 of the Data Protection Act, the personal identification number should not be entered unnecessarily in documents printed or drawn up based on the personal register.

The regulation of Section 29 of the Data Protection Act has been tightened with a legal amendment that entered into force on January 1, 2024. In this decision of the Deputy Data Protection Commissioner, the regulation in force at the time of the event is applied.
A legal issue

The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The Deputy Data Protection Commissioner must resolve:

Has the controller's procedure, in which it has usually sent automated text messages regarding laboratory visits to registered users, including personal identification numbers, been in accordance with Article 5(1)(c), Article 25(2) and Section 29.4 of the Data Protection Act of the General Data Protection Regulation.

In the case that is now the subject of the decision, it is also a question of matters related to the use of text messages, related to the security of processing, in accordance with Article 32, paragraphs 1 and 2 of the General Data Protection Regulation. Regarding the protection of personal data sent by text message, the deputy data protection officer gives guidance to the controller.
Decision of the Deputy Data Protection Commissioner
Decision

The registrant's usual procedure, in which it has sent automated text messages regarding laboratory visits to registered users that include personal identification numbers, has not been in accordance with Section 29.4 of the Data Protection Act (personal identification processing), Article 5 paragraph 1 subsection c (minimization of data) of the General Data Protection Regulation and Article 25 According to section 2 (default data protection).

The controller is given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities regarding the processing of the personal identification number into compliance with the provisions of the General Data Protection Regulation and the Data Protection Act.

The deputy data protection commissioner orders the data controller to submit a report on the measures taken to the data protection commissioner's office by May 13, 2024, unless it applies for an amendment to this decision.

Regarding the procedure for sending laboratory research data by text message, the deputy data protection commissioner gives guidance to the data controller.
Reasoning
The necessity of a personal ID in text messages

In the case being evaluated now, the person who reported to the data protection commissioner's office has been sent a text message about the failure of the laboratory test. In addition, the personal identification number of the person who made the report was mentioned in the text message and he was urged to contact the laboratory. The text message was about a message sent to the patient automatically, via a mobile service.

In its report, the registrar has stated that by including the social security number in text messages, it is ensured that, for example, information is not mistakenly directed to persons with the same name but different social security numbers.

The purpose of Section 29 of the Data Protection Act is to protect the personal identification number and to try to prevent its unnecessary processing. (HE 96/1998, p. 48.) According to Section 29.4 of the Data Protection Act, the personal identification number must not be entered unnecessarily in documents printed or drawn up based on the personal register.

The concept of a document is broad. In legislation, the concept of a document is defined, for example, in Section 5.1 of the Publicity Act (621/1999). According to the law, in the law in question, a document means, in addition to a written and pictorial representation, a message made up of signs intended to belong together due to its use, about a specific object or matter, which can only be found out with the help of automatic data processing or audio and video reproduction devices or other aids. (It should also be remembered that the protection of natural persons should be technology-neutral, i.e. it should not depend on the technology used, see e.g. introductory paragraph 15 of the General Data Protection Regulation.) What is stipulated in Section 29.4 of the Data Protection Act is not limited to certain types of documents. In the case being evaluated now, the text message must be considered a document referred to in Section 29.4 of the Data Protection Act, in which the personal identification number should not be entered unnecessarily.

In addition to Section 29 of the Data Protection Act, other relevant provisions of the General Data Protection Regulation, such as Article 5(1)(c) and Article 25(2) of the General Data Protection Regulation, apply to the processing of personal identification numbers. (The national identity number must only be used in compliance with the appropriate safeguards regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation, see Article 87 of the General Data Protection Regulation and HE 9/2018 vp, p. 113. See also e.g. the decision of the Court of Justice of the European Union in case C -439/19, point 96 of the decision.) It follows from the aforementioned provisions that the data controller must build its information systems so that the personal identification number is processed only in situations where it is necessary.

The deputy data protection commissioner states that the reasons presented by the controller for the necessity of processing the personal identification number are essentially related to the identification of the registered person at the stage when the information of the right patient is retrieved from the information system. It is possible for the registrar to process the personal identification number in its background system for the purpose of identifying the patient and to ensure that it is the right person to whom the text message will be forwarded.

The Deputy Data Protection Commissioner states that although the personal identification number can be processed to identify the person to whom the text message is intended to be forwarded, the personal identification number should not be unnecessarily included in the content of the text message.

The deputy data protection commissioner considers that entering a personal identification number in a text message does not actually affect the fact that the message is directed to the right person. The registrar has not brought forward any other grounds for processing the personal identification number, and the Deputy Data Protection Commissioner is not aware of any other grounds on the basis of which it would be necessary to include the personal identification number in the text message. The procedure of the data controller has therefore not been in accordance with Articles 5(1)(c) and 25(2) of the General Data Protection Regulation or Section 29.4 of the Data Protection Act, based on the reasons presented above.

In this connection, the Deputy Data Protection Commissioner reminds that the personal identification number should not be used, for example, solely for the purpose of making the operations of the data controller smoother, and the data controller should not process the personal identification number only because data processing is easier with the personal identification number. (See also HE 9/2018 vp, pp. 113–114.) Information systems must be built in such a way that text messages sent automatically do not include personal identification numbers unnecessarily. The personal identification number must also be processed in such a way that it does not become improperly available to outsiders.

With regard to this procedure, the Deputy Data Protection Commissioner issues an order to the data controller to bring the processing operations into compliance with data protection regulations.
Protection of personal data sent by text message

With regard to the protection of personal data sent by text message, the deputy data protection commissioner provides general guidance to the data controller.

The person initiating the case has been sent a text message with their personal identification number and information about the failure of a specific, separately named laboratory test. It has been about text messages sent to registrants in the usual way.

The following can be stated about the data security of text messages: SMS messages travel unprotected in the mobile phone network between telecom companies. The content of SMS messages is not protected during transmission, for example with encryption, except for the radio traffic between the mobile device and the base station of the mobile phone network. The SMS message system (SS7) does not provide conditions for encrypting message content or message transmission information.

In the case of text messages, it can also be noted that vulnerabilities have been identified in the SS7 protocol suite that implements the transmission mechanisms of SMS messages, which pose a threat to the confidentiality of communications and which cannot be repaired or properly managed. Because of these vulnerabilities, it is possible, for example, to direct SMS messages sent to a certain subscriber interface to a telecommunications company that is not involved in the transmission of communications in the mobile phone network and read them there in plain language. It is also possible to extract data through malware that is injected into mobile devices. In addition, misuse of the roaming feature of the SS7 protocol group may enable, for example, the eavesdropping of traffic between a mobile device and a cellular network. SMS messages can also be intercepted locally using fake access points or malicious applications.

The personal identification number is a strongly identifying and originally intended to be a permanent identifier, the identification of which bystanders can cause significant harm to the registered person, such as becoming a victim of identity theft. The personal identification number must only be used in compliance with appropriate protective measures regarding the rights and freedoms of the data subject in accordance with the General Data Protection Regulation.

Information about a medical procedure performed on a specific person is, on the other hand, health-related information belonging to special personal data groups (Article 9 of the General Data Protection Regulation). The controller must protect data belonging to special personal data groups particularly well. (See, e.g., introductory paragraph 51 of the General Data Protection Regulation. The legislation also provides for special confidentiality obligations when the health care unit processes the patient's health data.)

The Deputy Data Protection Commissioner directs the data controller to note that the data security risks associated with the data controller's procedure as described above, which it must take into account in order to meet the requirements of Article 32, paragraphs 1 and 2 of the General Data Protection Regulation, such as the appropriate management of risks related to access to personal data. Due to the general implementation method of text message protection, it is not practically possible for the data controller to improve this protection with technical measures, but must ensure that the appropriate protection of personal data is implemented by limiting the personal data that can be included in text messages sent unilaterally to registered users.

The data content of text messages sent to registrants must therefore be formed in accordance with the processing security requirement and the requirements of built-in and default data protection (Article 25 of the General Data Protection Regulation), following a risk-based approach. Likewise, when defining the content of text messages, the controller must properly take into account the shortcomings related to the protection of text messages and the nature of the information delivered by text message.

Based on the above, the deputy data protection commissioner directs the data controller to limit the data content of text messages appropriately as a default method of operation. For example, in the case of a person who reported to the data protection authorized officer's office, it would have been possible to limit the content of the text message so that the text message would have told about the failure of the laboratory test at a general level and asked the person to contact the laboratory.

When determining its procedures, the controller should also evaluate the possibilities for alternative methods of operation in the usual way of bringing personal data to the knowledge of the data subjects.