Kry – Violation Found (Sweden, 2020)

The caregiver Kry, provides health services via video calls. The patient downloads an app that is available for iOS and Android. The app allows the patient to have a video call with the doctor and renew certain prescriptions without a video call. At the time of the inspection, the caregiver's internal medical record system contained approximately 450,000 patient records accessible by 490 of the caregiver's employees. The DPA initiated the investigation on March 22, 2019 and conducted an on-site inspection on April 4, 2019. The inspection concerned: Risk-needs analysis *whether the caregiver had analyzed the risks to which data subjects were exposed as a result of the caregivers processing of personal data *whether the caregiver had properly assessed which of its employees needed access to which data How access to medical data was defined *how employees were granted access to the caregiver's internal medical records *how staff were granted access to other caregiver's medical records through the coherent medical record system (sammanhållen journalföring). *whether access and permissions were properly defined based on the risk-needs analysis. Logs *How the caregiver logged whenever a staff member accessed a patient's data. Risk- needs analysis The DPA concluded that the risk and necessity analysis did not meet all statutory requirements at the time of inspection. During the supervisory investigation, the caregiver submitted a revised risk analysis twice. The DPA considered the revisions to be significant improvements, but an even more thorough analysis was needed to meet the statutory requirements. The DPA said there was a need to assess risks based on categories of personal data, such as addictions, mental health, domestic violence. Access to medical records Although a caregiver has a legitimate interest in processing a lot of personal data about a person's health, permission to access personal data must be limited to what a healthcare worker needs to d