A Portuguese hospital is preparing a legal challenge to appeal two fines totalling €400,000 levied under the GDPR (General Data Protection Regulation).
Issues regarding confidentiality at the Centro Hospitalar Barreiro Montijo (CHBM) were raised in April 2018 when the Sindicato dos Médicos da Zona Sul (Medical Workers Union of the Southern Zone) reported that non-clinical staff were using ‘medical’ profiles to access CHBM’s computer system. An audit subsequently conducted by the National Data Protection Commission (Comissão Nacional de Protecção de Dados (CNPD)) found that 985 users were registered on the system under the ‘Physician’ grouping, but only 296 physicians were indicated as working there. One test profile was set up with the same unrestricted access as the ‘technical’ profile, and nine social workers had been given access to confidential patient information.
The Publico newspaper reported that two fines had been issued as a result of the CNPD audit. The first, for failing to respect patient confidentiality and limit access to patient data, was €300,000, and the second, for failing to “ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services”, was €100,000.
In a statement, the board of the Lusa hospital unit, one of the hospital sites under the group, said: “The Centro Hospitalar Barreiro Montijo (CHBM) does not follow the assumptions and understanding of the National Data Protection Commission (CNPD) on this matter, […] We are currently preparing a judicial challenge.”
Fines under the GDPR
Irrespective of whether CHBM’s appeal is successful, the fines should be a warning to other organisations that have failed to address their data protection obligations under the GDPR.
The €400,000 fine in this case is just a fraction of the total allowable under the GDPR. Two tiers of administrative fines can now be levied dependent on the specific articles of the Regulation that an organisation has breached:
- Up to €10 million, or 2% annual global turnover – whichever is higher.
- Up to €20 million, or 4% annual global turnover – whichever is higher.
Data protection authorities must impose fines on a case-by-case basis and these must be “effective, proportionate and dissuasive”.
If you’re unsure of your organisation’s current level of compliance with the GDPR, enquire about our gap analysis service. It helps identify and prioritise the key work areas that your organisation must address.
GDPR webinar series
IT Governance has developed a series of webinars delivered by Alice Turley, a highly experienced data protection, consumer protection and compliance consultant providing expert and solution-based advice.
The next webinar is “Appointing a data protection officer (DPO) under the GDPR”. A DPO is a requirement for all public authorities or bodies, and any organisation whose core activities consist of:
- Data processing operations that require regular and systematic monitoring of data subjects on a large scale; or
- Large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.
Most healthcare providers, including primary care, hospital trusts and pharmacies, must appoint a DPO.