Sweden: Datainspektionen completes audit of Capio St. Göran's Hospital, imposes fine of SEK 30M
The Swedish data protection authority ('Datainspektionen') announced, on 3 December 2020, that it has completed an audit of Capio St. Göran's Hospital AB assessing its systems for controlling access of staff to medical records and issuing a fine of SEK 30 MIllion (approx. €3 million) for non-implementation of sufficient technical and organisational measures. In particular, the Datainspektionen found that the health provider had violated Articles 5(1)(f) and 32(1) and (2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') by failing to carry out a risk analysis before determining staff permissions to access patients' records and by not limiting staff access to the medical records to what is required for the said member to fulfil their tasks relating to the provision of healthcare services.
In addition, the Datainspektionen highlighted that the increased processing of sensitive personal data by a lot of people within the entity means increased responsibility being placed on data controllers, alongside stating that the risk analysis must account for the probability and seriousness of the risk to the rights and freedoms of the data subjects concerned. Moreover, examining the guidelines of the hospital for allocating roles with respect to access to patient records, the Datainspektionen found that the guidelines lack an assessment of the staff's need to access said data.
You can read the decision, only available in Swedish, here.