Nokumo logo

07. Sep 23
Avoiding breach of sensitive personal data

What is a personal data breach according to GDPR?

Here what the Regulation reads:

"personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed"

If you are looking at the personal data breach through ISO 27001, a personal data breach is an information security incident. Looking at the 3 pillars of information security we know that information security stands on the following

  • confidentiality
  • integrity
  • availability


Putting GDPR data breach in ISO bins it would read like this

Confidentiality and GDPR data breach

  • unauthorized disclosure
  • access by an unauthorized third party
  • sending personal data to an incorrect recipient
  • computing devices containing personal data being lost or stolen

Integrity and GDPR data breach

  • accidental or unlawful destruction
  • loss of personal data
  • alteration of personal data without permission

Availability and GDPR data breach

  • accidental or unlawful destruction
  • loss of personal data
  • loss of availability or access to personal data

 

Taking a risk perspective and starting from administrative fines issued by national supervisory bodies for personal data privacy it seems that the most important category of all special data categories "sensitive data" is personal data concerning the health of the data subject as described in Article 9.1. of GDPR. Analyzing the regulator's behavior with respect to data concerning health, the primary focus seems to be the prevention of unauthorized disclosure and penalization of not only disclosure but even a possibility of disclosure. Even though every country has other laws that regulate professional secrecy, GDPR Article 9.3. emphasizes that oath of secrecy and responsibility to keep data concerning health private.

Moreover, GDPR gives the EU Member States the possibility to introduce further conditions, including limitations with regard to processing genetic data, biometric data, and data concerning health.

With regard to health, personal data has at least double protection (it's protected by special laws in every Member State where every national lex specialis regulates the obligation to keep health data private (e.g. medical doctors are obliged to maintain doctor-patient confidentiality and in case of the breach they have moral accountability where they can be stripped of a license to practice medicine, minor infraction/misdemeanor responsibility where they can be fined to a criminal offense where they can be jailed - by unauthorized disclosure of confidential information, especially about children).

Depending on the EU Member State, special laws concerning the protection of rights of patients have proliferated which grant individuals (as data subjects) additional protection, with emphasis on the doctor-patient confidentiality, right of the patient to receive timely information, right of the patient to prohibit disclosure of data concerning health to identified individuals.

Medical doctors in all EU Member States are additionally regulated in terms of confidentiality by ethical codes, codes of conduct, and similar bylaws or standards.

The same goes for pharmacists who are obligated to maintain pharmacist-patient confidentiality either by laws or ethical codes of conduct where they can bear the consequences for even minor infringements. Nurses bear nearly the same responsibility. Needless to say, all laws, bylaws, and rules, even without GDPR in place, already grant personal data rights concerning health by members of the healthcare team, whereas others are governed by more general non-disclosure obligations.

With the implementation of GDPR, personal data concerning health is considered as a special category of data and enjoys special protection in general (e.g. employer may find out about employees terminal illness, addiction, or other health-related personal data if employees share, but also because that information is included in the sick leave notes issued by the primary healthcare professionals to employees so they can be paid during sick leave (regulations are different from Member State to Member State).

Not only that the employer is prohibited from making any decisions based on the documentation about sick leave, but that is punishable by penal provisions of GDPR because otherwise it would be considered as unlawful data processing. Because employers receive documentation (physical or digital), they are obligated to safeguard that data proportionate to its sensitivity and risk of the impact of its unauthorized disclosure, and that includes the data about sick leaves.

When technical and organizational measures are concerned following cases should be briefly analyzed

  1. Case of a Portuguese hospital that was fined 400.000 EUR in 2018 because non-medical staff had access to all medical records in the hospital's system which constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data and lead to unauthorized disclosure of data: personal data breach as hospital failed to adhere to Article 32. of GDPR.
  2. Case of Dutch Haga Hospital in The Hague was fined 460.000 EUR where hundreds of employees were caught accessing medical records of a TV star without authorization which constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data and lead to unauthorized disclosure of data: personal data breach as hospital failed to adhere to Article 32. of GDPR.
  3. Case of London based pharmacy that was fined 275.000 GBP (297.000 EUR) because they stored 50.000 documents in unlocked crates which constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data and lead to unauthorized disclosure of data: personal data breach as hospital failed to adhere to Article 32. of GDPR.
  4. Case of the hospital in Rhineland-Palatinate, Germany was fined 105.000 EUR that started as a patient mix-up when admitting the patient which lead to incorrect invoicing and revealed both technical and organizational shortfalls in the hospital's privacy management that constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data which lead to unauthorized disclosure of data, data loss, damage to the documentation:  personal data breach as pharmacy failed to adhere to Article 32. of GDPR.
  5. The case of Norwegian Østfold HF Hospital was fined 112.00 EUR because it was found that Østfold HF Hospital had stored patient data, including sensitive data (e.g. the reason for hospitalization), from 2013 to 2019 without controlling access to the folders where the data was stored. That finding constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data which lead to unauthorized disclosure of data, data loss, damage to the documentation:  personal data breach as pharmacy failed to adhere to Article 32. of GDPR.
  6. Case of Italian Azienda Ospedaliero Universitaria Integrata di Verona (Hospital) that was fined in 2020 with 30.000 EUR because it was found that a trainee and a radiologist gained access to the health data of their colleagues which constituted infraction of Article 5.1.f as data wasn't processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality) and failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk that was designated as an infraction of Article 32. of GDPR.
  7. Case of Spanish Global Business Travel Spain SLU which was fined 5.000 EUR because one employee accessed the health data of one person which lead to the conclusion that there were insufficient technical and organizational measures to ensure information security infringing Article 32 (2) and 32 (4) of GDPR.
  8. The case of Bulgarian DSK Bank was fined 511.000 EUR because of leakage of personal data due to inadequate technical and organizational measures to ensure the protection of information security. Third parties had access to over 23.000 credit records relating to over 33.000 bank customers including personal data such as names, citizenships, identification numbers, addresses, copies of identity cards, and biometric data infringing Article 32. of GDPR.

  9. Case of Dutch company fined with 725.000 EUR in 2020 for scanning the fingerprints of its employees in order to record attendance. As fingerprints fall under sensitive data according to Art. 9 GDPR, by being biometric data and therefore can easily identify a data subject, the Dutch DPA has addressed two exceptions in the present case: explicit consent according to Art. 9 II a GDPR, and the necessity of the processing for security reasons, which are related back to Art.9 II g GDPR. and concluded that fingerprint scanning in the matter was unnecessary and disproportionate to the invasion of the employees’ privacy.

Analyzing above listed cases, it is important to note that managing the access rights to specific data records lays not only on the health institutions but to employers, too. Introducing access rights policies and technical measures to sensitive data categories seems to be of paramount importance to every organization, as failure to do so can easily lead to administrative fines.

There is no reason to assume that biometric data and genetic data is any less sensitive than personal data concerning health and that it should enjoy the same level of protection mandated by GDPR. Moreover, other special categories of data including religious or philosophical beliefs, affiliation to trade unions, racial or ethnic origin, data concerning an individual's sex life or sexual orientation should include treated the same way and be protected with technical and organizational measures proportionate to the risk they bear (if the processing of that data is lawful, at all) as per provisions of Article 9. of GDPR

Recommended blog posts

  • 11. Sep 20

    Avoiding breach of sensitive personal data

    A personal data breach can occur inadvertently, not because of negligence, but because analysis sometimes shows that certain data is not personal data, whereas, in fact, it is. Our view is that if designating data as personal depends on many factors, mostly on the context of data processing. Handling special categories of data requires extra care.

    Read article
  • 09. Sep 20

    Indirect identification of an individual using personal data

    GDPR just mentions indirect identification as a method of identifying a person but leaves everyone in the dark about the rest. It's not only about if one wants to identify someone, but it also's about the intrinsic value of data and its inherent ability to facilitate the process of identifying someone, regardless if one intends to do it or not.

    Read article
  • 02. Sep 20

    Direct identification of an individual using personal data

    What is direct identity confirmation? How to navigate through GDPR, as it broadly reads: "identifiable natural person is one who can be identified, directly or indirectly" without mentioning a word what is direct identification and what does it entail. The authors' views might help you shed some light on it.

    Read article
  • 30. Aug 20

    Identification of an individual using personal data

    How to confirm the identity of a person? What are the principles of identity confirmation and their relationship with authentification? How to be GDPR compliant, prevent identity theft and personal information data breaches? This blog post summarizes some of the GDPR topics we were tackling at a high level. If you are just embarking on a GDPR ship with a demanding project, hopefully, our views can make your journey faster and more cost-effective.

    Read article
  • 14. Aug 20

    How to know if data is personal data: avoid rookie GDPR mistakes

    What data should be designated as personal data and what does it mean to directly identify an individual or make identification indirectly? How to recognize personal data when it's not apparent that data actually should be dealt with as if it is personal and enjoy the full protection of GDPR. Why isn't more people discussing the context of data processing? Some of our views in this blog post might make you think twice. 

    Read article
  • 06. Aug 20

    Cookie consent and GDPR - avoid common mistakes

    What data should be designated as personal data and what does it mean to directly identify an individual or make identification indirectly? How to recognize personal data when it's not apparent that data actually should be dealt with as if it is personal and enjoy the full protection of GDPR. Why isn't more people discussing the context of data processing? Some of our views in this blog post might make you think twice. 

    Read article
  • 04. Aug 20

    ISO/IEC 27001 - understand our way of thinking

    When it comes to information security our goal is that you understand our way of thinking. We believe if you understand how we think that you'll better understand the real importance of following ISO 27001 standard and all benefits it brings to your business.

    Read article