The IMY also noted that the local government of Uppsala had issued a policy document related to the handling of emails which specifically prohibited sending sensitive personal data by email, and therefore the council should have identified the risks posed through processing the data in this manner. In the IMY's view, the Regional Council should have adopted technical measures (such as encryption) in order to protect the medical data contained in the automated and manually sent emails from unauthorised disclosure or access, thereby ensuring an adequate level of data protection security. The IMY highlighted that this case involved large amounts of medical data, which is a special category of data with extra protections under Article 9 GDPR, including children’s data.īecause of the fact that the emails were encrypted but the actual medical data contained within them was not, the IMY noted that although the information could not be intercepted during the transmission itself, it could however be accessed by both authorised and unauthorised recipients after transmission took place.Īccording to the IMY, in the case of the automated emails, there was a certain risk that data could fall into the wrong hands if the system was updated incorrectly, and in the case of manually sent emails, that risk was even higher. The IMY took into account Recital 75 and 76 GDPR in order to carry out an assessment of the responsibilities of the Regional Council (the controller in this case), according to the risks involved in the data it was processing.
However, its investigation only covered the time period between the entry into force of the GDPR in 2018, and the notification date of the data breach on (after which the processing operations were halted). The IMY stated that the processing operations in total could have concerned between 100,000 and 500,000 individuals for the period between 20. The files could contain data such as name, age, personal identity number, patient category, diagnosis codes, waiting times, date of contact, area of activity, department and county. The first refers to emails with patient data that were sent automatically to other health entities within the region for administration and quality assurance purposes (approximately 25 emails per month) the second refers to emails with patient data that were sent manually to researchers and physicians for research and quality monitoring purposes (approximately 200-250 per year). The IMY's audit covered two processing operations. Although the emails sent were encrypted themselves, the medical data contained within the emails was not.
Based on this notification, the Swedish DPA initiated an investigation into the medical data which the Uppsala Regional Council emailed to other entities. Uppsala regional authorities notified the Swedish DPA ( Integritetsskyddsmyndigheten - IMY) that a personal data breach had occurred in their jurisdiction in 2019.
0 kommentar(er)
