Privacy Blog
SWEDISH DATA PROTECTION AUTHORITY AUDITS AND FINES THE HEALTHCARE PROVIDERS
07.12.2020
European Data Protection Board (“EDPB”) announced that the Swedish Data Protection Authority audited eight healthcare providers in terms of managing the access of personnel to electronic health data of patients and sufficient access restrictions and that seven of eight healthcare providers were fined.
As a result of the audits; it has determined that the healthcare providers have not evaluated the needs for the personnel to access the information in the health records and have not analyzed the potential risks involved in accessing patient data, which is essential in order to assign an adequate access authorization for personal data in the electronic health records.
Swedish DPA has been defined this evaluation and analysis as “needs' and risk analysis.” It stated that without these needs’ and risk analysis; health care providers cannot assign the personnel a correct level of authorization and cannot protect the patient's privacy.
In this context, concerning the seven healthcare institutions audited, the Swedish DPA has concluded that the personnel's authority to access patients' health records is not limited to those that are absolutely necessary. Therefore, adequate and appropriate measures have not been taken in terms of relevant healthcare providers to ensure data security. For this reason, administrative fines of between SEK 2.5 and 30 million were imposed on the relevant healthcare providers.
You can find the text of the EDPB’s statement here.
Should you have any queries and/or remarks, please do not hesitate to contact us.
Kind regards,
Zumbul Attorneys-at-Law
info@zumbul.av.tr