Blog Posts Process Management

First substantial GDPR fine issued against a hospital in Portugal

Blog: AuraQuantic Blog

On October 11, the National Commission for Data Protection in Portugal (CNPD) issued the Barreiro-Montijo Hospital a fine of 400,000 euros for three violations of the General Data Protection Regulation.

The CNPD detected the following three data protection violations:

  1. Violation of a minimization principle, by allowing indiscriminate access to an excessive number of users. 150,000 euro fine.
  2. Violation of integrity and confidentiality. 150,000 euro fine.
  3. The incapacity of the person in charge of data processing to guarantee the continued confidentiality, integrity, availability and resilience of treatment systems and services. 100,000 euro fine.

The country’s supervisory authority found 985 users with the profile ‘doctor’ registered with active accounts that gave access to clinical files, although the official HR records reported only 296 doctors in that hospital. Using a test account, CNPD experts managed to access a patient’s clinical data from the digital files of another hospital, located in the town of Carnaxide.

Furthermore, the following breaches were also detected:

The Regulation defines personal data related to health as data “related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (article 4.15). The new aspect of this definition is that now information and data related to the provision of health care services which reveals information on the person’s health status is also included as health data.

Due to the importance that this type of data may have for the privacy of the person concerned, the GDPR grants greater protection to this type of data. This means that a series of additional conditions need to be met when processing this data.  It is subject to proactive responsibility, obligating those concerned to implement measures to ensure correct regulatory compliance.

In this particular case, there are two issues that, if prevented, the hospital could have avoided the 400,000 euro fine. The first is that they did not seek the consent of patients which, in accordance with rule 9 of the regulation, must be explicit.

Without consent, the legislation only allows data processing in a special category when certain special circumstances occur. (listed in Article 9(2) of the GDPR). These include:

None of the listed exceptions applied in this case, therefore, to comply with the GDPR, the hospital should have obtained explicit consent from the patients to process their data. The hospital managers should have implemented a protocol or procedure to obtain consent and store it in the patient file, thus allowing access only to the data of the patients who had registered their explicit consent.

Nowadays there are digital platforms on the market to manage this consent and levels of data access. By implementing one of these platforms, the hospital would have collected the required consent and managed the access to data according to the consent, and hereby avoided a good part of the penalty. That said, it was the responsibility of the Hospital’s Administration to take the appropriate measures to guarantee patient data security. Thus, the CNPD concluded that the Hospital was aware of the necessary technical and organizational measures and deliberately neglected them.

Article 83.2 of the Regulation stipulates that Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58. 2. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard shall be given to the intentional or negligent character of the infringement.

This factor highlights the irresponsibility of the managers when aware of the preventive measures and choosing not to apply them, especially given that, as I mentioned previously, there are solutions in the market to guarantee regulatory compliance.

An interesting reflection is that, although the penalty refers to data minimization, it does not focus on the management of the database as such, but on the access procedures. It does not broach issues of encryption, security or pseudonymization, instead, it focuses on procedures for the creation and definition of access, as well as ensuring compliance with procedures.

Finally, I would like to mention some of data management breaches detected. The lack of internal rules for the creation of accounts and for the management of the levels of access to information by hospital staff is, in my opinion, the greatest demonstration of lack of interest in protecting data that the law recognizes as requiring special protection. There are platforms designed to manage these different standards, from ISO to regulations such as the ones mentioned in this article. These platforms help with the implementation and automation of processes for regulatory compliance and can be completely customizable, allowing automation to be tailored to any organization which aspires the correct fulfillment of the GDPR or any other national or international quality standard.

The post First substantial GDPR fine issued against a hospital in Portugal appeared first on AuraPortal.

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples