Illegal processing of sensitive data, in particular large amounts of health data, carries a high risk of enforcement action under the General Data Protection Regulation , a legal expert has said.
A hospital in Portugal has been fined EUR 400,000 due to its failure to manage sensitive patient data on a need-to-know basis.
Inspectors found that in the hospital, any doctor had access to all patient files, regardless of the doctor’ s specialty, along side other failures.
The hospital tried to argue that it was not responsible for these deficiencies because it used the IT system provided to public hospitals by the Portuguese Health Ministry.
However, the Portuguese data protection authorities decided that it was the hospital’ s responsibility to ensure that adequate security measures were implemented.
When collecting large amounts of sensitive data, companies should focus significantly on compliance with GDPR, says Dr Lukas Feiler from law firm Baker McKenzie.
It advises three steps to logical access control:
Identification: The user has to disclose his or her identity. Any system that allows users to log in using accounts such as “test” or “admin” already fails this basic requirement.
Authentication: The user’ s identity is verified, typically using one or two of the following three factors:
- something that the user knows, such as a password
- something that the user has, such as a key or token
- something that the user is (i.e., biometrics).
Authorization: Once the user’ s identity has been verified, the user is granted access only to the data that the user needs to perform his or her job duties (need-to-know principle).
Commenting on the nature of the first GDPR fines, Dr Feiler says: “Rather than imposing a great number of fines for non-compliance with new GDPR requirements, the data protection authorities focused on a small number of cases where basic requirements were not satisfied. This underscores the importance of setting clear priorities when implementing the GDPR in any organisation.”