The first two decisions
The Italian Data Protection Authority, in the decision n. 29 of 27 January 2021, imposed an administrative sanction of euro 10,000 on a hospital for having sent by post, to the wrong patient, a medical report containing information on the health and sex life of two persons as well as information on the health of their family members.
For the same amount, the Italian Data Protection Authority sanctioned a hospital with the decision n. 30 of 27 January 2021 for having delivered to some patients medical records and reports referring to other persons.
In both cases, in determining the amount of the pecuniary sanction, the Italian Data Protection Authority took into account:
- the knowledge of the breach following the data breach notification made by the data controller;
- the isolated and unintentional nature of the breach;
- the small number of data subjects affected by the unlawful processing;
- the high degree of the cooperation that each data controller carried out with the Italian Data Protection Authority.
The third decision
The third case concerned a Local Health Administration Unit where a patient had explicitly requested the facility to ensure that no third parties, especially including his family members, were informed about his state of health. This request was made on a form included in the medical file.
A nurse at this Local Health Administration Unit, not being aware of the formal request made by the data subject on the absolute confidentiality of his data, called him on the home number recorded in the data controller’s data base and, as she did not find him, she updated about the state of health of the patient, instead of the data subject, a member of his family, thus going against his formal request expressed on the form.
Because of this violation, with the decision n. 36 of 27 January 2021, the Local Health Administration Unit, in addition to the compensation for damages suffered by the patient, sanctioned this data controller with a pecuniary administrative sanction of 50,000 euros.
In the light of these decisions, in order to promptly manage data breaches in the healthcare sector and in compliance with the data protection laws, it is essential for data controllers to adopt an adequate data breach policy, so as to be able to act promptly and efficiently in the possible event of a data breach, in accordance with the provisions of Article 33 of the GDPR, and by keeping a register of data breaches in which such events are recorded in full respect of the principle of the accountability.
Moreover, it is fondamental for a data controller creating a data protection culture within its staff, by organising periodical training courses in order to make them aware on the correct processing of patient data and on the procedures to be adopted in the event of a data breach; It could be opportune, lastly, preparing ad hoc company policies to minimise the risk of human errors that may lead to a data breach.
Article provided by: Chiara Agostini (RP Legal & Tax, Italy)
Dr. Tobias Höllwarth (Managing Director INPLP)