The PL SA applied to the Minister of Health for changes in the rules for disclosur of data access

The President of the Personal Data Protection Office applied to the Minister of Health for changes in the rules for disclosure of data access in the Register of Entities Performing Medicinal Activities (RPWDL)

The President of the Personal Data Protection Office, Mirosław Wróblewski made the request to the Minister of Health, Jolanta Sobierańska-Grenda to take legislative action aimed at changing the model of full transparency of access to personal data of persons being subject to the obligation of entering their data in the Register of Entities Performing Medicinal Activities (hereinafter RPWDL).

The changes proposed by the President of the Personal Data Protection Office are aimed at guaranteeing a higher level of protection of personal data and constitutional rights to privacy and the autonomy the individuals have over their data.

The statement was prompted by signals reaching the President of the Personal Data Protection Office expressing concern about full publicity of access to personal data contained in the RPWDL. Recently, the Supreme Medical Council has also appealed in this case, drawing attention to the concerns about the safety of doctors and other persons performing medical professions, which, under the provisions of the Act on medical activity, must be entered in the RPWDL. The provisions of this Act regulate the procedure for submitting an application for entry in the RPWDL and what data are to be included in it.

The supervisory authority does not question the reasonable objectives regarding the functioning of the RPWDL as an instrument of social control, enabling, inter alia, the verification by patients of entities and persons performing medical activities. However, it argues that those objectives must be pursued in such a way as to ensure a balance between the public task carried out and the risks to the rights and freedoms of persons whose data has been made available in the RPWDL.

It should be borne in mind that persons conducting medical activities or practices – in parallel with the fact that their data are public in the RPWDL – remain under the legal protection of the Constitution of the Republic of Poland, but also of Regulation 2016/679, i.e. the GDPR. The protection offered by the GDPR cannot be limited by national legislation without striking a balance between the right to privacy along with the right to personal data protection and the right to information about entities performing medical activities (public disclosure of the registration data of persons and entities whose data are contained in the RPWDL). Meanwhile, every person can get access using a web browser to information about these entities, including names and surnames, Tax Identification Number (NIP), National Business Registry Number (REGON), correspondence address, address of the place of providing services.

The supervisory authority sees a danger in such handling of personal data. Public access to, for example, the address of a family home can lead to many threats, ranging from intrusive marketing, theft, to acts of violence. And recent incidents of aggression against medical workers show that they belong to a group particularly exposed to these risks. The President of the Personal Data Protection Office also notes that data commonly available in various types of public registers are often used today, for example, to combine with other data by automatically downloading information from the network.

In the opinion of the President of the Personal Data Protection Office, consideration should be given to introducing a regulation limiting universal access to personal data from the RPWDL. One solution could be to leave it up to data subjects to decide whether to include in the RPWDL address data, i.e. address of residence, postal address and place, where the medical services are performed - if it is the same as the place of permanent residence, as well as contact details. It is also worth considering the possibility of waiving the public disclosure of address and contact data.

It is also necessary to analyse to what extent the RPWDL could be limited in terms of publicity and the request free access to data. In the opinion of the President of the Personal Data Protection Office, the public availability of the register should be limited only to the most relevant data, allowing verification of the person or entity providing services in terms of their qualifications (e.g. entry in the regional register of doctors, number of the professional licence). Other data could only be made available on request and in cases provided for by law (when the applicant demonstrates a legal interest in having more detailed data). According to the President of the Personal Data Protection Office, it is also worth considering the introduction of sanctions for the use of data contrary to the purpose of making it available.

In addition, according to the supervisory authority, an important reason for considering changes to the provisions governing the RPWDL model is the fact that the legal mechanism for the functioning of the RPWDL has not changed for more than nine years and was implemented even before the introduction of Regulation 2016/679. Moreover, changes to it have not yet been considered in the context of changing social conditions and vulnerabilities resulting from the development of digital threats.

The President of the Personal Data Protection Office declares his readiness to participate in further discussion on detailed legal solutions and offers expert support both in the course of legislative work and at the stage of preliminary work.