Hidden video surveillance in neonatology department
The President of the Personal Data Protection Office Miroslaw Wróblewski imposed two fines on Centrum Medyczne Ujastek Sp. z o.o.(hereinafter: Medical Centre), based in Krakow, in the total amount of PLN 1,145,891.25, for installing image recording devices in 2 rooms of the neonatology department in violation of current regulations, and for failing to apply technical and organisational measures responding to the risk to the data processed on the memory cards that were in the monitoring devices.
The monitoring implemented by the Medical Centre between July 1 and 23, 2023, in the neonatology department, with its scope, recorded images showing both newborns and their mothers while performing intimate activities, such as feeding the babies or nursing them, among others. According to the explanations provided by the facility, the children whose images were captured on the recordings no longer required intensive care, so their health was not at risk. After analysing the legal grounds, the President of the Personal Data Protection Office found that the video surveillance implemented by the Medical Centre had been introduced in violation of the current regulations, and, moreover, was of a secret nature - neither the patients nor the facility's employees were informed about the ongoing image recording. As a result of the described violations of GDPR the President of the Personal Data Protection Office imposed a fine of PLN 687,534.75 on the Medical Centre.
At the same time, the Medical Centre notified to the President of the Personal Data Protection Office a breach involving the loss or theft of memory cards from the video recording devices in the 2 rooms of the neonatology department indicated above. After investigation, it was determined that the memory cards that contained the recordings had not been encrypted, and that the devices used for image recording had not been configured to meet the requirements of the facility. In addition, the risk analysis provided by the Medical Center did not cover the risks that were the cause of the incident and did not identify security measures that could have prevented the incident from occurring. Thus, the President of the Personal Data Protection Office, after finding a violation related to the failure to implement appropriate security measures, imposed a fine of PLN 458,356.50 on the Medical Centre.