The Norwegian Data Protection Authority sends a declaration to the Oslo University Hospital (OUS) related to the patient’s information confidentiality that has been published in a public newspaper for three years.
The case began with the Danish Data Protection Authority that received a claim on personal data security breach (notification of non-compliance) from the Oslo University Hospital the 18 of May 2020. It was announced that 275 cases in which personal information have been published into the public newspaper register for a period of three years.
Legislation breaches.
In addition to the breach of the special legislation, it seems to have breached also some GDPR requirements. The publication of a patient’s personal informations is a breach of professional secrecy and the hospital must exclude the personal informations from public registers. In addition the Patient Record Act requires that the hospital gives adequate information security and an internal control. This in order to guarantee the compliance with the GDPR requirements and the responsibility of the processor (articles 32 and 34).
It seems so serious
The Data Protection Authority thinks that this type of non compliance has been going on for a long period of time and has now asked the hospital for a supplementary report on the discrepancy. We have received a copy of the warning letter that the hospital sent to those affected. However, the non compliance notice we have received contains too little information about the cause, consequences and measures taken, and we have therefore considered it a preliminary notice.
Oslo University Hospital must answer the questions by 28 June 2018. Retrieved 30 July 2020.