It has almost been 3 years since regulation (EU) 2016/679 of The European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) first became applicable for natural persons, stating in article 9 (1) that processing of special categories of personal data – including data concerning health – shall be generally prohibited.
Naturally, the question can be asked, how can then healthcare providers process such personal data? The answer is provided by article 9 (2) of the GDPR stating the exceptions when data concerning health may be processed besides the generally stated purposes. It is important to highlight that if and when the exceptions apply so that health related data may be processed, appropriate technical and organizational measures must be implemented that can ensure the security of the special data processed. The regulations for the safety of processing are set out in article 32 of the GDPR.
These are the regulations the Budapest Capital Government Office Branch of District IX failed to observe in connection with the following incident.
On 14 April 2020, the Budapest Capital Government Office Branch of District IX. Office of Administration, Public Health Department (Department) has sent an e-mail to general practitioners’ operation in Districts XI, XII, and XXII of the capital, that came attached with an excel spreadsheet detailing the results of the Covid-19 tests administered by the National Ambulance Services, that included the personal data of 1153 patients along with their symptoms. Due to some reason however, the e-mail was not forwarded only to the GP-s as the incident was reported by private person.
Following an inquiry from the National Authority for Data Protection and Freedom of Information (NAIH) the Department has requested the advice of the data protection officer of the Budapest Capital Government Office. According to the data protection officer before sending the spreadsheet the data should have been filtered by District and sent separately to the general practitioners as they can only be informed about the data of the patients in their care. However, the data protection officer stated that they deemed that the rights of the data subjects were not endangered during the incident therefore in accordance with article 32 (1) of the GDPR the incident was not reported to the NAIH, nor were the subjects notified.
According to the NAIH the Department did not implement appropriate technical and organizational measures in accordance with article 32 (1)-(2) (such as pseudonymization and encryption) to ensure the protection of the health-related data during the data transfer. Furthermore, during the risk assessment of the incident, the Department did not consider paragraph (75) of the preamble to the GDPR that states that any data processing where health related data is processed at a large volume as well as processing g may give rise to identity theft or fraud is considered inherently high-risk. As stated by the NAIH the processing of data concerning health of 1153 data subjects constitutes as processing a large amount of data and carries a high risk according to the regulations of the GDPR. The data contained in the spreadsheet is especially extensive, that allows for patients to be individually identified and in some cases almost a concrete diagnosis can be reached using the data available. Transferring such data to third parties carries enormous risks to the personal lives of the subjects. The Department – contrary to the NAIH’s position – failed to correctly assess the severity of the incident and therefore did not comply with their obligation to report incidents to the NAIH in accordance with article 33 (1) of the GDPR and to notify the subjects about the breach in accordance with article 34 (1) of the GDPR.
As per the decision of the NAIH the Department was issued a data protection fine of HUF 10,000,000 for the handling of the incident.