Portuguese personal data protection supervisory authority (Comissão Nacional de Protecção de Dados, CNPD – https://www.cnpd.pt/) fined Barreiro-Montijo Hospital Center (“Hospital”) in the amount of 400,000 Euro, based on access policies to databases, which allowed technicians and physicians to consult patients’ clinical files, without proper authorization.
The fine was disclosed following an inspection carried out by CNPD, after an alert issued by the Medical Association. The Hospital may still appeal to the competent courts, if it intends to challenge CNPD’s decision. The fine was imposed in the light of the General Data Protection Regulation (GDPR) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1540890576170&from=EN, which is fully applicable since 25 May 2018. The administration of the Hospital has challenged CNPD’s competence and powers to apply the fine.
CNPD’s grounds to start the administrative action against the Hospital are related to the fact that professionals working in the area of social services had access to patients’ personal data files that should be exclusively reserved to physicians. CNPD also justified the imposition of the fine on the fact that 985 physicians were registered with active accounts that gave access to clinical files, including special categories of data, although the staff of the Hospital only had 296 “active” doctors on the inspection date.
CNPD concluded that the Hospital had no internal rules for the creation of accounts (which were created after the e-mails were sent by the different directors of the services) or for granting the different levels of access to clinical information. For its part, the authentication method did not take into account the identification data linking the different professionals to the Hospital.
The CNPD’s deliberation identified three infractions: violation of the principle of data integrity and confidentiality, violation of the principle of data minimization that should prevent indiscriminate access to clinical data of patients, and the inability of the Hospital, as data controller, to ensure the confidentiality and integrity of the data. The first two infringements were punished with a fine of 150 thousand Euros each, while the third represented an increase of 100 thousand Euros.
During the administrative action initiated by CNPD, the administration of the Hospital stated that CNPD could not be considered the supervisory authority with competence and powers to supervise and enforce data protection policies in Portugal, since the proposal for a law which adapts some open issues of the GDPR to Portuguese law is still being drafted and debated in the Assembly of the Republic. However, one may argue that CNPD maintains the competence and powers as a supervisory authority, according to Law 67/98, of October 26 (https://www.cnpd.pt/bin/legis/nacional/LPD.pdf) and that the same should continue effective and enforceable after conclusion of the GDPR’s legislative process in Portugal.
CNPD also stated that the Hospital acted deliberately, knowing that it was mandatory to apply the technical and organizational measures essential to i) the identification and authentication of users, ii) the management and delimitation of their access to information profiles, iii) stratifying them according to the different access privileges corresponding to the professional categories of its employees and also iv) to the guarantee of the security of the information. Additionally, CNPD stated that the Hospital was supposed to have a system of reliable audit of such identifications, accesses and guarantees of security.
This is the first case of application of a fine pursuant to the GDPR, initiated by CNPD, during summer holydays and that definitely surprised everyone in Portugal, considering that CNPD was not a very proactive supervisory authority, when compared with other EU supervisory authorities and that it was expected that the public entities would benefit of a three-years exemption period after 25 May 2018, during which no administrative actions would be initiated against such entities.
We cannot wait for the next episode and will certainly keep you posted.
By Sónia Queiroz Vaz, Rita Galvão de Rezende, Nicole Fortunato