Serious criticism for unintended changes to shared medical record Summary Our remarks On 13 August 2021, the Danish Health Data Authority • The case concerns a situation where several actors reported a personal data breach to the Danish DPA. This exchange data in a service-based architecture. The breach followed two other similar breaches reported in case specifically shows how a third party’s changes August 2020 and July 2021, respectively, which resulted to a system can lead to unintended changes in in the Danish DPA criticizing ”Region Hovedstaden” (the a system that was not the intended target of the capital region), as it was responsible for the Health change. Platform. • The Danish DPA emphasizes that the data The security breach occurred when a code change controller is responsible for testing all likely error in the platform unintentionally altered the Shared scenarios when developing or modifying software Medicine Record, causing the end date of dosing for that processes personal data, including when 267 individuals on the Shared Medicine Record to not changes are implemented by third parties. In these appear in the platform. The Capital Region of Denmark situations, clear agreements should be made is the data controller for the Health Platform, while the between all actors in the architecture of the system Danish Health Data Authority is the data controller for so that the controller can maintain control and the Shared Medicine Record. integrity of the system. This follows the requirement for appropriate organizational measures in GDPR, The Danish Data Protection Agency’s Article 32(1). decision • Personal data breaches must be notified to the The Danish DPA seriously criticized the Danish Health DPA without undue delay and, if possible, within Data Authority for not processing personal data in 72 hours, unless the breach is unlikely to result in accordance with the rules in GDPR, Article 32(1) (security a risk to the rights and freedoms of individuals. In of processing), and Article 33(1) (late notification of this case, the Danish Health Data Authority became personal data breaches). aware of the breach on 9 August 2021 but did not report the breach until 13 August 2021, which the Danish DPA deemed too late. Published: 22-06-2022, Journal number: 2021-442-14071 Tags: 05 Data security 125
Complycloud EU GDPR Report Page 124 Page 126