[Med-privacy] right to privacy and the protection of personal information

[peter marshall]

  Court Rules that Data Breach Violates Fundamental Human Rights
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The Finnish government will be required to pay a fine because it failed
to protect patient data against the risk of unauthorized access,
according to a ruling from the European Court of Human Rights. The
ruling establishes a nexus between the right to privacy under human
rights law and the protection of personal information. The European
Court of Human Rights held that Article 8 of the European Convention on
Human Rights, which guarantees respect for every citizen's private life
against needless interference by the government, includes an affirmative
obligation to ensure the security of personal data. According to the
court, a government hospital's failure to guarantee the security of the
petitioner's data against the risk of unauthorized access constituted a
=93breach of the state's positive obligation to secure respect for her
private life by means of a system of data protection rules and
safeguards.=94

The hospital ran afoul of the Convention's guarantee of personal privacy
because its records system violated Finland's own law requiring
hospitals to secure personal data against unauthorized access. The
petitioner, who worked as a nurse at the same hospital where she was
being treated for HIV, began to suspect that her co-workers had learned
about her disease by reading her confidential medical records. Although
hospital rules stated that records could only be accessed for treatment
purposes, as a practical matter patient records could be viewed by any
hospital staff. Despite the plain privacy violation, the petitioner was
unable to meet her burden under the Finnish privacy law. The hospital's
failure to sufficiently document access to medical records made it
difficult to prove that loose policies caused the rumors.

Nevertheless, the court held that the simple fact that the hospital had
an insecure medical records system was enough to make the health care
facility responsible for the otherwise unexplained spread of the
employee's private medical information. =93The mere fact that the =
domestic
legislation provided the applicant with an opportunity to claim
compensation for damages caused by an alleged unlawful disclosure of
personal data was not sufficient to protect her private life,=94 said =
the
court. =93What is required in this connection is practical and effective
protection to exclude any possibility of unauthorized access occurring
in the first place. Such protection was not given here.=94

The European Court of Human Rights was established in 1950 by the
European
Convention on Human Rights. It has issued many important privacy
decisions
based on Article 8 of the European Convention.

European Court of Human Rights:
	http://www.echr.coe.int/echr/

I v. Finland, Eur. Ct. H.R., No. 20511/03 (17 July 2008):
	http://www.epic.org/privacy/intl/echr-finland.pdf

EPIC's Privacy And Human Rights Report:
	http://epic.org/phr06/

EPIC's Medical Privacy Page:
	http://epic.org/privacy/medical=