Out-Law / Your Daily Need-To-Know

Dutch data protection authority fine signals warning to healthcare practitioners

Out-Law News | 21 Jun 2021 | 9:28 am | 1 min. read

Healthcare practitioners should ensure any data submitted by patients is transmitted securely to avoid a fine for breaching the EU’s General Data Protection Regulation (GDPR), an expert has said.

Data protection expert Wouter Seinen of Pinsent Masons, the law firm behind Out-Law, said the €12,000 fine handed out by the Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), to an orthodontist practice was a warning to other practitioners.

The AP fined the orthodontic practice after it emerged that data sent via its online registration form, including name and address details and national identification numbers, was not encrypted. The GDPR requires controllers of personal data to implement measures to secure it against loss or unlawful processing, and the AP said the lack of a security certificate on the website exposed data sent through the registration form created a risk of that data being unlawfully intercepted by a third party.

Seinen said the case was notable because web forms that are not sent over secure connections are common, and it appeared that the AP was imposing the fine to warn other healthcare practitioners to make sure they were using encrypted systems.

According to an automatic translation of the AP decision, the regulator determined that the orthodontist had breached its security obligations as cryptographic security is mentioned in the ISO standard for data security in the medical sector, and the practice should observe extra care since it is processing medical data, and particularly data relating to children.

The AP said the practice had breached article 32 of the GDPR, which relates to security of processing. This would normally attract a basic fine of €310,000, the second-highest level in a three-tier system.

However, as the breach related to the registration form on the website rather than patient administration, the AP said it was appropriate to designate the violation as a category I breach rather than category II, which incurs a €100,000 basic fine.

The fine was further lowered to €12,000 under proportionality principles as the business was a small and medium enterprise.

Seinen said it was also “remarkable” that the AP had not named the orthodontist in the case.

“This is probably because the practice was small and mentioning the practice would immediately identify the orthodontist running it,” Seinen said.

The case is the latest example of the AP taking action against an organisation for a breach of GDPR rules. In May, the authority fined an employer for failures relating to the processing of employee sickness data.