Health data processors are a key target for GDPR enforcement, legal expert warns

Illegal processing of sensitive data, in particular large amounts of health data, carries a high risk of enforcement action under the General Data Protection Regulation , a legal expert has said.

A hospital in Portugal has been fined EUR 400,000 due to its failure to manage sensitive patient data on a need-to-know basis. 

Inspectors found that in the hospital, any doctor had access to all patient files, regardless of the doctor’ s specialty, along side other failures.

The hospital tried to argue that it was not responsible for these deficiencies because it used the IT system provided to public hospitals by the Portuguese Health Ministry.

However, the Portuguese data protection authorities decided that it was the hospital’ s responsibility to ensure that adequate security measures were implemented.

When collecting large amounts of sensitive data, companies should focus significantly on compliance with GDPR, says Dr Lukas Feiler from law firm Baker McKenzie. 

It advises three steps to logical access control:

Identification: The user has to disclose his or her identity. Any system that allows users to log in using accounts such as “test” or “admin” already fails this basic requirement.

Authentication: The user’ s identity is verified, typically using one or two of the following three factors:

  • something that the user knows, such as a password
  • something that the user has, such as a key or token
  • something that the user is (i.e., biometrics).

Authorization: Once the user’ s identity has been verified, the user is granted access only to the data that the user needs to perform his or her job duties (need-to-know principle).

 Commenting on the nature of the first GDPR fines, Dr Feiler says: “Rather than imposing a great number of fines for non-compliance with new GDPR requirements, the data protection authorities focused on a small number of cases where basic requirements were not satisfied. This underscores the importance of setting clear priorities when implementing the GDPR in any organisation.”


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Thank you for visiting, the website for the leading magazine for care home managers, operators and directors. If you would like to receive the digital edition and/or the editor's regular newsletters via email please subscribe here.
Are you a care home staff member or operator?
Terms: Care Home Management (S&A Publishing) may use the information you provide on this form to get in touch with you with relevant industry news and promotions. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us. We will treat your information with respect. For more information please view our privacy policy.
By submitting this form you agree to the terms.