Dis­clo­sure of health data to hus­band: fine of EUR 50,000; publi­ca­ti­on as secon­da­ry sanction

In Ita­ly, the Garan­te, the Ita­li­an super­vi­so­ry aut­ho­ri­ty, issued a deci­si­on on Janu­a­ry 27, 2021, impo­sing a fine of EUR 50,000 on a hospi­tal that had been char­ged with a bre­ach of data pro­tec­tion requi­re­ments for health data (Deci­si­on in Ita­li­an).

The case con­cer­ned data of a pati­ent who had spe­ci­fi­cal­ly orde­red in a spe­cial form not to inform third par­ties about her plan­ned abor­ti­on and to use a sepa­ra­te tele­pho­ne num­ber for con­ta­c­ting her. This form was not inclu­ded in the patient’s file. A nur­se sub­se­quent­ly cal­led the pati­ent at the land­li­ne num­ber stored in the pati­ent file. To the hus­band, who ans­we­red the call, she gave the type of ward whe­re the pati­ent was admit­ted, but no other infor­ma­ti­on about the patient’s medi­cal con­di­ti­on. The gua­ran­tor nevertheless eva­lua­ted this infor­ma­ti­on as a health record wit­hin the mea­ning of Art. 4 No. 15 GDPR.

The buses were deter­mi­ned accord­ing to the fol­lo­wing cri­te­ria, among others:

  • Nega­ti­ve effects on the patient’s pri­va­te life
  • Dis­clo­sure of health data
  • spe­cial pro­tec­tion of data on abortions
  • Lack of tech­ni­cal and orga­niz­a­tio­nal secu­ri­ty measures
  • appar­ent­ly exem­pla­ry coope­ra­ti­on of the hospi­tal in the investigation.

As a “com­ple­men­ta­ry sanc­tion”, the publi­ca­ti­on of the deci­si­on on the Garante’s web­site was orde­red (“la san­zio­ne acces­so­ria del­la pub­bli­ca­zio­ne sul sito del Garante”).

Naming and shaming is a deli­be­ra­te ancil­la­ry sanc­tion of Ita­li­an data pro­tec­tion law. Art. 166 Par. 7 of the Pri­va­cy code pro­vi­des for this:

7. nel­l’a­do­zio­ne dei prov­ve­di­men­ti san­zio­na­to­ri nei casi di cui al com­ma 4 si osser­va­no, in quan­to app­li­ca­bi­li, gli arti­co­li da […]; nei mede­si­mi casi può esse­re app­li­ca­ta la san­zio­ne ammi­ni­stra­ti­va acces­so­ria del­la pub­bli­ca­zio­ne del­l’or­di­nan­za-ingi­unzio­ne, per inte­ro o per est­rat­to, sul sito inter­net del Garan­te.

When adop­ting sanc­tion mea­su­res in the cases refer­red to in para­graph 4 of this Arti­cle, Arti­cle […] shall be obser­ved to the extent that it is app­li­ca­ble; in the same cases, it may be as an acces­so­ry admi­ni­stra­ti­ve sanc­tion, the publi­ca­ti­on of the cea­se-and-desist order in who­le or in part on the Guarantor’s Web­site.]

The same pro­vi­si­on, moreo­ver, pro­vi­des that 50% of the pro­ce­eds of the fine shall be allo­ca­ted to the fund that finan­ces the acti­vi­ties of the Garan­te (Art. 156 of the Codice).