Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
FINNISH SUPERVISORY AUTHORITY: excessive data shall not be recollected or share for complaints of insurance companies

FINNISH SUPERVISORY AUTHORITY: excessive data shall not be recollected or share for complaints of insurance companies

The Office of the Personal Data Protection Authority has clarified the functioning of the Finnish Insurance Center of the patient and the Insurance Center of transports when they obtain information by the health assistance for the processing of the compensation.

The Office of the Authority has also examined the way in which both the providers operate when they communicate personal data of the patient to insurance companies. According to the report, insurance companies have required data of patient in an extended way. Also, heath operators have provided health data without analyze them.

People who present complaint at the Office of the Personal Data Protection Authority have considered that the Insurance Center of the patient and the Insurance Center of transports have required documents of their patients to the health assistance in an extended wat than necessary for the investigation of the damage. Complainants have considered as excessive the transfer of patient’s data by health operators.

For example, the relationships of patients on the psychotherapy were required and provided in case of car accident.

The minimization principle shall be observed when data are required and provided

The part who provides and received data shall guarantee that those personal data are not recollected or shared to a very unlimited extent. The right of insurance companies to access to information is limited by the requirement of need of insurance regulation, according to which insurance companies have the right to receive personal data of the patient which are necessary to solve a sinister.

A similar requirement in order to limit data is including into the personal data protection legislation.

According to the principle of minimization of data of the General Data Protection Regulation, personal data processed shall be relevant and limited to a specific exigence. I compliance with the requirement of integrated and default data protection, the insurance company shall guarantee to process only the necessary information for the compensation.

In order to fulfil these requirements, a request of information to the health assistance shall be limited to each case and can be referred to basic necessary information. Health operators shall assess, based on a request of the insurance company, which information are necessary.

In its decision, the Authority takes a position also on moods of sharing personal data. The Authority considers that information on the health status of the patient shall be shared mainly as a compliance declaration with eh recommendation of the Finnish Health Association.

If, under justified reason, information shall be provided as copies of clinical registers, it shall be provided only necessary information, for example, by covering unnecessary information. The Authority underlines that when we provided copies of clinical records, the need of data shall be assessed with particular attention.

The Authority has commented the breach of the General Data Protection Regulation

The Authority has issued an observation at the Finnish Insurance Center of the patient on the processing of data in breaching the General Data
Protection Regulation. Another operator has received an observation and an order to change the proceedings for the transfers of personal data of patients to insurance companies in compliance with the requirements of the GDPR.

The instruction of similar cases will be going on at the Office of the Personal Data Protection Authority:

Decision of the Personal Data Protection Authority on the Insurance Center of the patient:

TSV Päätös 3141.182.21

Decision of the Personal Data Protection Authority on health operator:

TSV Päätös 3096.161.21

Decision of the Personal Data Protection Authority on the Insurance Center of Transports:

TSV Päätös 1007.452.17

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FINALNDIA 

Recommended to you

Advanced Research