Certifications attesting to the presence in the hospital, to justify an absence from work or the impossibility of participating in a competition, must not include the information of the facility where the health service was provided, the stamp with the doctor’s specialization, or information that could lead to the state of health.
This is what the Guarantor reiterated by fining a Territorial Health Authority for 17 thousand euros.
The Authority intervened following a complaint from a patient who had asked the health facility for a certificate for absence from work.
The certificate issued indicated the department that had provided the health service, violating safety obligations and the principle of minimizing personal data.
The data processed, in fact, must be adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed.
Furthermore, the Authority has ascertained the violation of the principle of privacy by design as the Company, the data controller, has failed to implement, from the design stage, adequate technical and organizational measures aimed at effectively implementing the principles of data protection and protecting the rights of the interested parties.
The Health Authority will therefore have to pay a fine of 17 thousand euros because, despite having, following the intervention of the Guarantor, modified the forms and carried out specific training for the staff on personal data protection, the violation involved a potentially high number of patients for a long period. In defining the fine, the Authority also considered that the Authority did not provide feedback to the Guarantor’s request for information, committing a further violation of the Code.
https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10086101