Data protection risk analysis must address different situations

A data protection risk analysis carried by the doctor in the patient’s records during the home visits would make it possible to avoid the consequences of car theft. However, it was only after such an event that the non-public health care centre in Pyskowice (hereinafter health care centre) identified the risk and expressly communicated the prohibition on leaving medical records, inter alia, in a private car.

A doctor’s car who travelled home to the patient was stolen. Documentation of eight patients were unprotected in the car, including names, forenames, dates of birth, home addresses, personal identification numbers (PESEL numbers), and health data.

The health care centre, for which the doctor worked, reported this fact to the President of Personal Data Protection Office. It examined how the data protection procedures in this health care centre looked. The data risk analysis turned out to be incomplete, thus not implementing appropriate safeguards for medical records for home visits. For this, and not for the loss of data, the President of Personal Data Protection Office, Mirosław Wróblewski, imposed a fine of PLN 32 832 on health care centre.

Health care centre also provided health services to patients in the form of home visits. Doctors used their private cars to do so by signing contracts with health care centre. The Information Security Administrator of the health care centre already in 2017 drew attention to the problems that this entails. Carrying unsecured documentation is risky because it can be mislaid or lost as a result of theft. The Security Administrator alerted that the documentation should be moved to the facility on the same day and not taken overnight by the doctor.

However, when the doctor’s car was stolen, these recommendations did not change into health care centre procedures. As a data controller, it did not identify the private cars of employees as an area of processing of personal data to which the provisions of the procedures for safeguarding that data refer. The procedures themselves also referred in very general terms to the circumstances of the processing outside the place of establishment of the controller. They did not respond to the real risks identified in the security audits. The change took place only after the theft – when the annex to the security policy on physical security was updated with a specific indication of the rules applicable in case of need to transport medical records outside the premises of the medical establishment. It was only then that the staff received the appropriate training and the doctors who went to the patients had provided them with the medical documents of the locked folders.

Decision in English: DKN.5131.17.2022