Centro Hospitalar Barreiro Montijo has been fined 400,000 euros for violating the General Data Protection Regulation.
The country’s supervisory authority, Comissão Nacional de Protecção de Dados, found that there were three violations of the GDPR. First was a violation of Article 5(1)(c), a minimization principle, by allowing indiscriminate access to an excessive number of users, and a violation of Article 83(5)(a) a violation of the processing basic principles. For those, the fine was 150,000 euros.
The second, a violation of integrity and confidentiality as a result of non-application of technical and organizational measures to prevent unlawful access to personal data under Article 5(1)(f), and also of Article 83(5)(a), a violation of the processing basic principles. There, the fine was 150,000 euros.
Both of the above were punishable with a fine of up to 20 million euros or 4 percent of the total annual turnover.
Finally, the CNPD fined under Article 32(1)(b), the incapacity of the defendant to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the non-implementation of the technical and organizational measures to ensure a level of security adequate to the risk, including a process to regularly testing, assessing and evaluating the technical and organizational measures to ensure the security of the processing. There the fine was for 100,000 euros, though the maximum fine was 10 million euros to 2 percent of the total annual turnover.
The defense submitted by the hospital referred that the CNPD could not be considered as the supervisory authority as per Article 51 because it had not yet been appointed formally. To this, CNPD responded that it is, for all purposes, the national authority which has the power to control and supervise the compliance in terms of data protection in accordance with the current Portuguese Data Protection Law.
Also, among its arguments was that the hospital used the IT system provided to public hospitals by the Portuguese Health Ministry and not its own systems.
Some facts considered proven by the CNPD:
- There was no document containing the correspondence between the functional competences of the users and the profiles for access to the information (including to clinical information).
- There was also no document defining the rules for creating users of the hospital’s information system.
- Nine technical employees enjoyed the level of access reserved for the medical group, which resulted in the indiscriminate possibility of such employees consulting the clinical processes of all hospital users.
- Existence of access credentials which allowed any doctor, regardless of his/her specialty, to access at any time the data of the clients of a hospital. This was considered as violating the principle of “need to know” and the principle of “minimization of data.”
- There were 985 users associated with the profile “doctor,” but in the official hospital human resources charts there are only 296 doctors in that hospital.
- Maintenance of useless profiles for doctors who no longer provide services to the hospital.
- There were only 18 user accounts that were inactive and the last one was deactivated in November 2016.
- The defendant acted in a free and voluntary way and consciously knowing that its acts are prohibited by law.
When determining the amount of the fine, which was relatively low considering what it could have been, the CNPD considered the following, in accordance with Article 83(1)(a-k):
- The nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing as well as the number of data subjects affected. It was also considered as relevant the fact that the personal data involved were special categories of data, including health data which increased significantly the risk of damages to the data subjects.
- Possible fraud: the defendant represented the practice of misconduct as a possible consequence of the conduct and conformed to it.
- The defendant’s initiative to mitigate the damages suffered by the data subjects.
- The degree of responsibility of the defendant, taking into account the technical and organizational measures implemented.
- There were no previous infractions.
- Degree of cooperation with the CNPD in order to remedy the infringement and mitigate its possible negative effects.
- How the CNPD learned of the infraction, in that it was not communicated by the hospital but rather was known through the media and later confirmed by the CNPD inspection.
When determining the amount of the penalty the CNPD also considered the fact that the defendant took measures to regularize the situation.
The striking fact about this fine is that the CNPD acted upon a newspaper article and not on a complaint. From this we consider that it was particularly relevant to the CNPD that there were no documented procedures for access to the data, but also that the data involved were special categories of data.
It is also worth mentioning that in the first draft of the proposed new data protection law, there were no penalties applicable to the public entities. This was referred to by the CNPD: That it was not in line with the Portuguese legislative tradition. This fine is in line with that opinion. In fact, according to the CNPD, to exempt public entities from the application of the fines violates the principle of equality and weakens the protection of citizens’ fundamental rights.
The decision was not published in the CNPD site, which obviously does not contribute to promote public awareness and understanding of the risks, rules, safeguards in relation to the processing, as provided for in Article 57 of the GDPR.
Date: January 22, 2019