SERVICIO CANARIO DE LA SALUD – Complaint Upheld (Spain, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Canary Health Service allowed unauthorized access to a person's medical records by multiple health professionals. This breach of privacy occurred when ten staff members accessed the records, but only two had a valid reason to do so. This case shows the need for better security measures to protect sensitive health information.
What happened
Ten health professionals accessed a person's clinical history without proper authorization.
Who was affected
The individual whose medical records were accessed by unauthorized health professionals.
What the authority found
The Spanish DPA determined that there was unauthorized access to the individual's medical records, violating rules on confidentiality and integrity.
Why this matters
This case highlights the importance of strict access controls in healthcare settings. Organizations must ensure that only authorized personnel can view sensitive information to protect patient privacy.
GDPR Articles Cited
On November 2, 2021 the data subject requested his clinical history. Along with the history, the Canary health service (Servicio Canario De La Salud) provided a list of accesses made by primary care givers and a list of access made by specialists at the Fuerteventura General Hospital. These lists showed that health professionals, who were not associated with any clinical process or consultation related to the data subject, had accessed the subject's clinical history. Upon receiving the data subject's complaint, the controller (Servicio Canario De La Salud) hired Electromedical and Information Services (ASEI) to carry out an internal investigation to assess whether the access to the data subject's medical records by health professionals could be justified. This internal investigation resulted in an internal warning within the Servicio Canario to be careful when accessing documents. The data subject appealed this to the DPA, stating that the results of the audit does not justify the accesses nor the reasons that led to the personnel in question to access the file. After a DPA investigation, it was determined that in total ten professionals from the General Hospital of Fuerteventura had accessed the file. Of the ten, only two of them were justified to access the file as they were professionals in the Anesthesia and Resuscitation Area (FEA), which was related to the data subject's condition. The Spanish DPA considered that there has been undue access to the data subject's clinical history and disclosure of personal information to third parties, without the consent of the owner. Such facts represent a breach of confidentiality and integrity, violating Article 5(1)(f) GDPR, since there had been accesses to the data subject's medical history by third parties who were not authorised to do so. The DPA also highlighted the lack of measures in place aimed at guaranteeing the confidentiality of such information. Due to this, the security measures of the controller were no
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for SERVICIO CANARIO DE LA SALUD in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. SERVICIO CANARIO DE LA SALUD - Spain (2023). Retrieved from cookiefines.eu
Last updated: