Resolutions, opinions and reports search tool

Data protection regulations do not prevent the person from notifying the data they request, regarding access to their clinical history, including the identity of the professionals who have accessed it, in relation to the requested period.

According to Article 24.3 LTC, the resolution of the application for access to the clinical history of the applicant must be processed in accordance with the GDPR and the possible complaint must be processed before the Catalan Data Protection Authority, the competent authority to find out about the complaints in relation to the right of access provided for in Article 15 GDPR.

Revelation of health data to the complainant's father, the age of the person at the time of the event.

The complainant complains that they made him send medical documentation by email and that this would facilitate access to medical data by non-health administrative staff. RA is issued since this was an exceptional shipment since the patient requested urgent assistance by phone for the prescription of pain medication and since the last medical report was not yet included in the HC3, since the same one had been issued day at another medical center, he was asked to send it by e-mail in order to carry out the medical prescription. These emails are managed by the administrative staff entrusted with these functions and, moreover, management does not involve access to medical documentation; only if it becomes essential for the performance of its functions. Art. 16 Law 41/2022.

RA is being prepared because the complainant was the one who in a workplace revealed his or her COVID (and his/her) results to other partners. He did so for organisational purposes. At the same time, his boss communicated the results (and those of his wife) to a colleague in charge of carrying out organizational functions. Although it was not necessary to disclose data on his wife's results, it would be disproportionate to hold the complainant responsible for this fact, when it was the complainant himself who revealed the information in a voluntary, trusted environment amongst colleagues. It should also be noted that the complainant confirmed that he had carried out an access audit and confirmed that there had been no access to the complainant's data.

The person in charge of the treatment must implement the appropriate measures to ensure that the conversations held between their staff and the patients cannot be heard by unauthorized third parties. It is necessary to carry out a risk analysis to determine the applicable security measures.

The patient, in view of the legislation studied (legislation on patient autonomy and transparency legislation, in connection with article 6.1.c) RGPD), must be able to know the identity of the people who have accessed their medical history and, where appropriate, any improper access that may have occurred. Although not part of the right of access provided for in the RGPD, data protection regulations do not prevent the holder of the medical record from accessing information on the due or improper nature of access to the medical history, if the person in charge has this information.

The ICS, within the framework of the present rights protection procedure and in response to the request for access by the person here claiming, specifically asking for the registration of health professionals who accessed their clinical history of primary care (ECAP) from 09/08/2021 to 15/12/2021, has submitted to them in 21/02/2022 a list of accesses to their clinical history made in the aforementioned period, also informing them that all of them had a purely assistive purpose. The complainant, consulted by this authority, has not filed any allegations against being satisfied with the information obtained, which is why the ICS' response is declared to be extemporaneous without any further pronouncements on the substance of the complaint.

Data protection regulations do not prevent access to information relating solely to the claimant’s own working conditions, nor to the merely identifying data of the persons responsible for establishing their work schedule. With regard to the “hostile incident” request, the complainant has the right to access all information about her person listed in the documentation, including the source of the information (identity of the persons who have provided it), unless the hearing procedure results in a circumstance that justifies the limitation of access. Access to third-party health data that the claimant may not have previously known about their caregiver functions, and other irrelevant third-party information, should be excluded from access. Data protection regulations do not prevent the person claiming information regarding access to their medical history from being communicated.

On the one hand, by means of the digital certificate linked to a worker in the entity - which allowed him to access the HC3 file of the Department of Health - an unidentified person or persons who had access to the HC3 of the complainants, all of them workers in the entity; which is considered constitutive of a violation of the principle of application linked to the improper treatment of special categories of data. On the other hand, the digital certificate linked to one of the working people of the FSFA, which as mentioned allowed access to the HC3 file, was installed on several computers to which different people also workers in the entity had access. Thus, to the extent that all these people could use the same certificate to access the HC3 database, the identification of the person who actually accessed it could not be guaranteed unequivocally and customarily, nor, consequently, the justification of these accesses could be analysed. This is considered to be a breach of security measures.