A fine of PLN 100,000 for disclosure of health data

The President of the Personal Data Protection Office imposed a fine of PLN 100,000 (about 23,000 €) on the Minister of Health for disclosing data on one person's health status.

The Minister of Health, being the controller of the data processed in the electronic system, extracted data from it and next published them on one of the social media sites. The entry contained information about a doctor who had given himself a prescription for a psychotropic drug. Thus, the Minister of Health unlawfully disclosed data about this person's health condition. The President of the Personal Data Protection Office, after conducting administrative proceedings, issued a decision and imposed an administrative fine of PLN 100,000 on the Minister of Health.

- This is the maximum fine for a public sector entity. In its decision, the Polish supervisory authority stressed that if it were not for the statutory fine limit, the fine would have been much higher," said Jakub Groszkowski, Deputy President of the Personal Data Protection Office.

In the course of the proceedings, the Polish supervisory authority established that the controller of the disclosed data is the Minister of Health as an authority who has been equipped with specific rights allowing him to access the data processed in the mentioned system in strictly defined cases and for specific purposes. The doctor's data were disclosed in breach of the provisions of the GDPR and national specific regulations, the compliance with which was the responsibility of the data controller, i.e. the Minister of Health.

In the opinion of the Office, the place of publication of the personal data are irrelevant, as the Minister of Health was not entitled to publish them in any way. Moreover, the purposes for which he is entitled to process them are strictly defined in the Act on healthcare information system.

At the same time, the supervisory authority noted in its decision that the data subject could both pursue his/her rights before a civil court and lodge a complaint to the President of the Personal Data Protection Office about the unlawful processing of their personal data by Adam Niedzielski, acting 'privately' as a natural person.

The proceedings of the Polish supervisory authority concerned a personal data breach not only in relation to the disclosure of data from one of the registers, but also a breach of security rules related to the acquisition of those data from the system and the manner in which they were transferred to the Minister of Health.

In its decision, the DPA pointed out, inter alia, that the transfer of the data obtained from the register took place via WhatsApp messenger, which also created the possibility of losing control over those data, including their security. Not only was this communication channel not indicated in the risk analysis carried out by the controller, it is also not indicated for communication in public administration due to the fact that the owner of this messenger has already been sanctioned by the Irish supervisory authority for, inter alia, lack of transparency in the processing of personal data.

The Minister of Health not only failed to ensure an adequate level of data security, but also inadequately communicated a personal data breach to a data subject. The notification lacked even a description of the possible consequences for the person in connection with the breach of his or her data protection or a description of measures to mitigate possible adverse effects of the breach.

In imposing the fine the DPA took into account both the intentional nature of the breach and the controller's failure to take appropriate action after the incident occurred. Apart from deleting the social media post, no action was taken, such as apologising to the doctor, expressing regret or publicly acknowledging the mistake.

The Office did not find grounds to take into account any mitigating circumstances that could have had an impact on the reduction of the final fine imposed on the Minister of Health. The application of remedies other than a fine would not guarantee that the controller would not commit further negligence in the future.

The decision is available here