The Data Inspectorate has examined how 8 health workers control and limitate the access to the staff to the principal systems of clinical records. The Authority has discovered deficiencies in 7 of the 8 cases and this has led to administrative sanctions till 30 millions SEK.
The Data Inspectorate has completed an investigation of 8 assistance providers. It has been examined if the providers has carried out the exigencies and the risk analysis necessary in order to give the staff the right to access personal data in the main systems of clinical records.
The health workers should do a careful analysis and assessment of which are the exigencies of information of the staff and which are the risks connected to the staff with the access to personal data of patients. Without this analysis, the health workers can not assign to the staff the correct qualifications, this means that the operations could not guarantee to patients the privacy protection they must have. Magnus Bergström, who is the coordinator of the 8 investigation.
The Data Inspector affirms that 7 of 8 health workers have not done an analysis of the risks and the needs, meanwhile the 8th health worker has done the analysis but it has some deficiencies.
The Authority affirms that 7 assistance providers do not limitate the authorizations of users for the access to the respective system of clinical records to what is truly necessary in order that the worker can perform his/her job.
This means that 7 assistance providers have not implemented the sufficient measures for being able to guarantee and demonstrate adequate security for personal data in the system of clinical records.
The deficiencies of 7 health workers are so serious that they bring administrative sanctions included between 2.5 million SEK and 30 million SEK. The amount of the sanction can vary widely depending on if it is a company of an authority. If it is a company the amount can be a maximum of 20 million SEK or the 4% of the global annual turnover of the company, depending on the higher amount. For the authorities, the Commission can reach a maximum of 10 million SEK.
The Data Inspectorate has produced guidelines which resume the conclusions of the audit about the requirements for the development of exigencies and the risks analysis.
This guidelines underlines the importance that the health workers should ensure the exigencies and the risks analysis should take place and offers to health workers help in the performance of this analysis, which must be performed before suitability is assigned in the medical record systems. It is now our hope that all healthcare professionals in the country will use the information contained in this guide in their work to ensure that the right allocation of rights takes place in order to provide patients with the privacy protection to which they are entitled.