Resolutions, opinions and reports search tool

The complainant alleged that his medical history had been manipulated. Specifically, he stated that the diagnosis of the injuries he suffered in an accident was incorrect and that the images contained therein were blurred and cropped. During the processing of the claim, the hospital proved that the information in the complainant's medical history was correct, that there had been no modification after the date of the accident and that the images were not blurred or cropped. The procedure is closed, since no punishable act from the point of view of data protection can be attributed to the hospital, nor can any responsibility be attributed to the reported and unaccredited acts.

The complainant complains that his ex-partner has improperly accessed his HC, without his permission. On the other hand, the CSI states that the professional accessed it during the period of time in which the complainant and the professional were a couple, but does not provide the patient's explicit consent. It is resolved that the principle of confidentiality has been violated.

The complainant complains that the medical center has issued two reports, which state a pathological history that is not based on any medical evidence. The entity has acknowledged the facts and corrected the reports. A final resolution is being prepared for violation of the principle of accuracy.

It is resolved to declare that, prior to 05/03/2023, the HCB had not implemented the appropriate security measures -technical and organizational- to guarantee a level of security appropriate to the risk of the personal data processing it carried out. Nor had it carried out a risk analysis to define the required security measures, as required by sections 1 and 2 of article 32 RGPD. The computer platform that was the subject of the cyberattack stored information from the HCB and also from other related entities (Barnaclínic SA, CAPSBE and FRCB-IDIBAPS); therefore, the volume and sensitivity of the information required special diligence in its custody and security.

The medical history of the reported foundation is configured in such a way that, by design and by default, the foundation's own and external doctors can access it, through the foundation's information systems. This fact caused an external doctor who treated the reporting person within the framework of private healthcare to access his medical history, without his explicit consent or any other legal basis that legitimized this treatment. In this case, the violation of the duty of data protection by design and by default is not imputed, since there is an ideal competition of infringements and only the most serious infringement is imputed; that is, the violation of the principle of legality (qualified as very serious). Nor is the violation of the principle of purpose limitation imputed, because it is subsumed in the infringement relating to the principle of legality.

The person making the complaint showed that her HC3 was accessed from CABO Centelles on four occasions, during the months of May 2022, despite not having been visited at that health center. In response, the DPD of the reported entity has confirmed that it is the material author of the accesses and has justified them by arguing that they were necessary to be able to respond to a request for information that this Authority notified to the aforementioned entity, within the framework of another complaint. filed by the same person complaining. In relation to this, during the prior information phase it was found that the accesses carried out by the personal data protection delegate to the complainant's HC3 were justified, given that they were carried out in the exercise of his duties. , and to respond to a request from this Authority. For all this, the filing of these proceedings is appropriate.

It is resolved to declare that the Department of Health has committed the infringement provided for in Article 83.5a), in relation to Article 5 RGPD, which contemplates the principle of accuracy of personal data, since the platform "My Health" of the complainant contains inaccurate information about health professionals who would have attended it in different medical consultations. The discord is also manifested between the information contained on the one hand in the HC of the health center and the HC3; and on the other hand, in the information that appears in the LMS viewer.

The archiving of the actions is resolved since the reported entity has justified that the controversial access to HC3 of the complainant was caused by a typing error, within the framework of the RedCov project, in which certain parameters had to be consulted in various clinical stories.

El tratamiento de los datos necesarios para la realización de las pruebas de los procesos de selección de personal, incluidas los datos de salud de los participantes, tiene como base jurídica el cumplimiento de una misión en interés público y el cumplimiento de obligaciones específicas de las administraciones competentes establecidas por la normativa de función pública. La grabación de las pruebas psicotécnicas requiere, además de su previsión en las correspondientes bases de las convocatorias (con la concreción y determinación de las garantías específicas necesarias), la realización previa de una AIPD. No parece que la base jurídica del consentimiento sea adecuado para legitimar el tratamiento de los datos de los aspirantes a un proceso selectivo con la finalidad descrita, dado que no se puede considerar que en el caso planteado pudiera haber un consentimiento realmente libre, ni la posibilidad de establecer medios alternativos que garantizaran el principio de igualdad que tiene que regir los procedimientos selectivos.

It is resolved to reprimand the accused entity given that, following a request for permanent disability, presented by the complainant here, a doctor issued a medical opinion, which included data referring to her health, which had nothing to do with the pathology that caused it. the disability petition. The complainant based her request on certain chronic back and foot injuries, and the controversial opinion included medical information related to a gynecological pathology, which had nothing to do with the IP file. This fact is considered to have violated the principle of minimization of personal data, which is why the General Subdirectorate of Medical Evaluations is reprimanded.