European Data Protection Board

Wrongful to publish sensitive personal data on Region Örebro County’s website

Wednesday, 13 May, 2020
se

The Swedish Data Protection Authority’s investigation shows that the Healthcare Committee in Region Örebro County made a mistake when publishing on the region’s website sensitive personal data about a patient admitted to a forensic psychiatric clinic.

The Swedish Data Protection Authority received a complaint against the Healthcare Committee in Region Örebro County, in which claims that sensitive personal data about a patient admitted to forensic psychiatry clinic had been published on the region’s website was put forward.

– Our investigation into the matter shows that sensitive personal data has wrongfully been published and thereby made accessible to the public on the region’s website”, says Elin Hallström, Legal Advisor at the Swedish Data Protection Authority.

The Swedish Data Protection Authority’s audit shows that there are no written instructions relating to the publication of documents and personal data on the website in place. Instructions for publishing information are instead communicated orally. In this case, the instructions had not been followed which led to the accidental publication of the document, suggesting that the Committee had not taken sufficient organizational measures to ensure that personal data is protected from being wrongfully published on the region’s website.

– For this reason, we are now ordering the Committee to establish written instructions and introduce measures that ensure that those who publishes personal data on the region’s website does so in accordance with set instructions.

In its decision, the Swedish Data Protection Authority also concludes that in terms of publication the Committee had neither a legitimate purpose, nor a legal basis, nor fulfilled the requirements for an exemption from the general prohibition against handling sensitive personal data in the General Data Protection Regulation.

The Swedish Data Protection Authority orders the Committee to bring its personal data handling into compliance and furthermore issues an administrative fine of 120 000 Swedish kronor (approx. 11 000 euro) against the Committee.

The published document in question has been removed from the region’s website.

To read the press release in Swedish, click here

To read the full decision in Swedish, click here

For further information, please contact the Swedish SA: datainspektionen@datainspektionen.se   

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.