Avoiding breach of sensitive personal data

Author: Dario Alfirević
Published on: 11.09.2020.

What is a personal data breach according to GDPR?

Here what the Regulation reads:

"personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed"

If you are looking at the personal data breach though ISO 27001, a personal data breach is an information security incident. Looking at the 3 pillars of information security we know that information security stands on the following

  • confidentiality
  • integrity
  • availability


Putting GDPR data breach in ISO bins it would read like this

Confidentiality and GDPR data breach

  • unauthorized disclosure
  • access by an unauthorized third party
  • sending personal data to an incorrect recipient
  • computing devices containing personal data being lost or stolen

Integrity and GDPR data breach

  • accidental or unlawful destruction
  • loss of personal data
  • alteration of personal data without permission

Availability and GDPR data breach

  • accidental or unlawful destruction
  • loss of personal data
  • loss of availability or access to personal data

 

Taking a risk perspective and starting from administrative fines issued by national supervisory bodies for personal data privacy it seems that the most important category of all special data categories "sensitive data" is personal data concerning the health of the data subject as described in Article 9.1. of GDPR. Analyzing the regulator's behavior with respect to data concerning health, the primary focus seems to be the prevention of unauthorized disclosure and penalization of not only disclosure but even a possibility of disclosure. Even though every country has other laws that regulate professional secrecy, GDPR Article 9.3. emphasizes that oath of secrecy and responsibility to keep data concerning health private.

Moreover, GDPR gives the EU Member States the possibility to introduce further conditions, including limitations with regard to processing genetic data, biometric data, and data concerning health.

With regard to health, personal data has at least double protection (it's protected by special laws in every Member State where every national lex specialis regulates the obligation to keep health data private (e.g. medical doctors are obliged to maintain doctor-patient confidentiality and in case of the breach they have moral accountability where they can be stripped of a license to practice medicine, minor infraction/misdemeanor responsibility where they can be fined to a criminal offense where they can be jailed - by unauthorized disclosure of confidential information, especially about children).

Depending on the EU Member State, special laws concerning the protection of rights of patients have proliferated which grant individuals (as data subjects) additional protection, with emphasis on the doctor-patient confidentiality, right of the patient to receive timely information, right of the patient to prohibit disclosure of data concerning health to identified individuals.

Medical doctors in all EU Member States are additionally regulated in terms of confidentiality by ethical codes, codes of conduct, and similar bylaws or standards.

The same goes for pharmacists who are obligated to maintain pharmacist-patient confidentiality either by laws or ethical codes of conduct where they can bear the consequences for even minor infringements. Nurses bear nearly the same responsibility. Needless to say, all laws, bylaws, and rules, even without GDPR in place, already grant personal data rights concerning health by members of the healthcare team, whereas others are governed by more general non-disclosure obligations.

With the implementation of GDPR, personal data concerning health is considered as a special category of data and enjoys special protection in general (e.g. employer may find out about employees terminal illness, addiction, or other health-related personal data if employees share, but also because that information is included in the sick leave notes issued by the primary healthcare professionals to employees so they can be paid during sick leave (regulations are different from Member State to Member State).

Not only that the employer is prohibited from making any decisions based on the documentation about sick leave, but that is punishable by penal provisions of GDPR because otherwise it would be considered as unlawful data processing. Because employers receive documentation (physical or digital), they are obligated to safeguard that data proportionate to its sensitivity and risk of the impact of its unauthorized disclosure, and that includes the data about sick leaves.

When technical and organizational measures are concerned following cases should be briefly analyzed

  1. Case of a Portuguese hospital that was fined with 400.000 EUR in 2018 because non-medical staff had access to all medical records in the hospital's system which constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data and lead to unauthorized disclosure of data: personal data breach as hospital failed to adhere to Article 32. of GDPR.
  2. Case of Dutch Haga Hospital in The Hague was fined with 460.000 EUR where hundreds of employees were caught accessing medical records of a TV star without authorization which constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data and lead to unauthorized disclosure of data: personal data breach as hospital failed to adhere to Article 32. of GDPR.
  3. Case of London based pharmacy that was fined with 275.000 GBP (297.000 EUR) because they stored 50.000 documents in unlocked crates which constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data and lead to unauthorized disclosure of data: personal data breach as hospital failed to adhere to Article 32. of GDPR.
  4. Case of the hospital in Rhineland-Palatinate, Germany was fined with 105.000 EUR that started as a patient mix-up when admitting the patient which lead to incorrect invoicing and revealed both technical and organizational shortfalls in the hospital's privacy management that constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data which lead to unauthorized disclosure of data, data loss, damage to the documentation:  personal data breach as pharmacy failed to adhere to Article 32. of GDPR.
  5. Case of Norwegian Østfold HF Hospital was fined with 112.00 EUR because it was found that Østfold HF Hospital had stored patient data, including sensitive data (e.g. the reason for hospitalization), from 2013 to 2019 without controlling access to the folders where the data was stored. That finding constituted a failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data which lead to unauthorized disclosure of data, data loss, damage to the documentation:  personal data breach as pharmacy failed to adhere to Article 32. of GDPR.
  6. Case of Italian Azienda Ospedaliero Universitaria Integrata di Verona (Hospital) that was fined in 2020 with 30.000 EUR because it was found that a trainee and a radiologist gained access to the health data of their colleagues which constituted infraction of Article 5.1.f as data wasn't processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’) and failure to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk that was designated as an infraction of Article 32. of GDPR.
  7. Case of Spanish Global Business Travel Spain SLU which was fined with 5.000 EUR because one employee accessed health data of one person which lead to the conclusion that there were insufficient technical and organisational measures to ensure information security infringing Article 32 (2) and 32 (4) of GDPR.
  8. Case of Bulgarian DSK Bank which was fined with 511.000 EUR because of leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23.000 credit records relating to over 33.000 bank customers including personal data such as names, citizenships, identification numbers, addresses, copies of identity cards and biometric data infringing Article 32. of GDPR.
  9. Case of Dutch company fined with 725.000 EUR in 2020 for scanning the fingerprints of its employees in order to record attendance. As fingerprints fall under sensitive data according to Art. 9 GDPR, by being biometric data and therefore can easily identify a data subject, the Dutch DPA has addressed two exceptions in the present case: explicit consent according to Art. 9 II a GDPR, and the necessity of the processing for security reasons, which are related back to Art.9 II g GDPR. and concluded that fingerprint scanning in the matter was unnecessary and disproportionate to the invasion of the employees’ privacy.

Analysing above listed cases, it is important to note that managing the access rights to specific data records lays not only on the health institutions but to employers, too. Introducing access rights policies and technical measures to sensitive data categories seems to be of paramount importance to every organization, as failure to do so can easily lead to administrative fines.

There is no reason to assume that biometric data and genetic data is any less sensitive than personal data concerning health and that it should enjoy the same level of protection mandated by GDPR. Moreover, other special categories of data including religious or philosophical beliefs, affiliation to trade unions, racial or ethnic origin, data concerning individual's sex life or sexual orientation should include treated the same way and be protected with technical and organizational measures proportionate to the risk they bear (if the processing of that data is lawful, at all) as per provisions of Article 9. of GDPR

 

GDPR fines - selected cases
Country Fined entity Basis for the fine Fine amount local currency Fine EUR Sensitive
Poland Warsaw University of Life Sciences data breach occurred because of the theft of a laptop 50.000 PLN 11.200 EUR No
Hungary Forbes failure to provide information to data subjects due to the fact that proper interest assessment wasn't carried out 4.500.000 HUF 12.600 EUR No
Poland Surveyor General infringing principle of lawfulness, making personal data internationally available without legal basis 100.000 PLN 22.400 EUR No
Belgium Proximus failure to act upon witdrawal of consent, failure to provide transparent information 20.000 EUR 20.000 EUR No
Spain Tour & People Max S.L. failure to stop processing data by not complying to advertisment exclusion 1.200 EUR 1.200 EUR No
Spain Vodafone failure to stop processing data after excercized right to erasure by sending customer promo SMS 75.000 EUR 75.000 EUR No
Spain Xfera Moviles unauthorized disclosure of data to third party - infringing principle of confidentiality 70.000 EUR 70.000 EUR No
Norway Rælingen municipality failure to conduct risk and data protection impact assessment - possiblity for unauthorised disclosure of health information of children 47.500 EUR 47.500 EUR Yes - Health
Denmark PrivatBo failure to implement appropriate technical and organizational measures causing unauthorized disclosure of information 150.000 DKK 20.160 EUR No
Netherlands Netional Credit Register creating obstacles for data subjects to access their personal data 830.000 EUR 830.000 EUR No
Germany AOK Baden-Wuerttemberg failure to implement appropriate technical and organizational measures causing unauthorized disclosure of information - secure data processing 1.240.000 EUR 1.240.000 EUR No
Italy Wind Tre SpA failure to obtain consent - unsolicited marketing activities, failure to act on excercised right to be forgotten - published personal information in public phone book after objections 17.000.000 EUR 17.000.000 EUR No
Italiy Iliad unauthorized access to internet traffic by employees 800.000 EUR 800.000 EUR No
Poland Non-public nursery and pre-school failure to cooperate to supervisory authority 5.000 PLN 1.100 EUR Yes
Belgium Google Belgium failure to respect the right to be forgotten and lack of transparency in request forms to delist 600.000 EUR 600.000 EUR No
Belgium data controller - undisclosed name failure to obtain consent prior to sending promotional messages and failure to respond to request to access 10.000 EUR 10.000 EUR No
Spain Iberdrola failure to respond to request for information 4.000 EUR 4.000 EUR No
Finland Posti Oy failure to notify subject of their rights, failure to conduct DPIA, excessive data collection of job applicants 100.000 EUR 100.000 EUR No
Sweden Region Örebro County unauthorised disclosure of sensitve data - related to health - information on psychiatric patient published on web 120.000 SEK 11.000 EUR Yes
Sweden National Government Service Centre failure to notify supervisory body about data breach 200.000 SEK 18.700 EUR No
Sweden Google failure to fulfill obligations in respect to right to be forgotten 75.000.000 SEK 7.000.000 EUR No
Iceland National Center of Addiction Medicine data breach - unauthorized disclosure of sensitive data - health - information about 252 patients 3.000.000 ISK 20.640 EUR Yes
Iceland Breiðholt Upper Secondary School lack of appropriate measures to protect the personal data - 1 instance of dislosure of sensitive data - health related 1.300.000 ISK 8.900 EUR Yes
Poland rimary School No. 2 in Gdansk collecting biometric data (fingerprints) without legal basis 20.000 PLN 4.500 EUR Yes
Netherlands KNLTB - Tennis Association unlawfully providing personal data to unauthorised parties (sponsors) 525.000 EUR 525.000 EUR No
Italy TIM SpA unlaful processing for marketing purposes - millions of individuals 27.800.000 EUR 27.800.000 EUR No
Cyprus Louis Group of Companies lack of legal basis to process sensitive data - sickleaves scoring 82.000 EUR 82.000 EUR Yes
Italy Eni Gas and Luce lack of legal basis to process - unlawful processing in connection - telemarketing, implement appropriate technical and organizational measures causing unauthorized disclosure of information 11.500.000 EUR 11.500.000 EUR No
Greece ALLSEAS MARINE S.A illegal installation of CCTV and infringement of right to access 15.000 EUR 15.000 EUR Yes - Biometric
United Kingdom Doorstep Dispensaree Ltd failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss - sensitive data - health related - medicail information and prescription data 275.000 GBP 297.000 EUR Yes - Health
Sweden Mrkoll.se unauthorized public dislosure of data - credit information 35.000 EUR 35.000 EUR No
Norway City of Oslo failure to protect sensitive data - health related - medical records 49.300 EUR 49.000 EUR Yes - Health
Germany 1&1 Telecom GmbH failure to implement appropriate technical and organizational measures causing unauthorized disclosure of information 9.550.000 EUR 9.550.000 EUR No
Germany Facebook Germany GmbH failure to notify DPO 51.000 EUR 51.000 EUR No
Data collected from EDPB website

This blog post is made available by the author who is a licensed ISO 27001 Internal Auditor and has extensive experience in managing privacy. This blog is intended for educational purposes only as well to present views of the author how business understands the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney-client relationship between you and this blog publisher. The blog should not be used as a substitute for competent legal advice from a licensed professional attorney. Views of the author do not necessarily represent views of Infranet (see our incorporation details) nor does it constitute a promise. Photos: Pexels.com

Tags: GDPR data breach sensitive personal data
Cookie settings