The Information Commissioner has fined an employee of the University Psychiatric Clinic of Ljubljana €950 for unlawfully accessing a patient’s data. The healthcare professional used her password to access the patient’s personal data, even though she did not need the data for the purpose of medical treatment or for other specific work tasks performed within the scope of her authority. In doing so, she violated the basic principles of lawful processing of personal data, in particular the principles of lawfulness and purpose limitation under the General Data Protection Regulation.
In companies, organizations and other institutions where personal data is regularly processed, it is extremely important that everyone who has access to this data handles it responsibly, carefully and only within the scope of their work tasks. Any access to personal data must be justified, necessary and limited to a specific task. An employee may only access personal data that is strictly necessary for the performance of specific work tasks arising from his employment contract or other act.
Any access that goes beyond these limits, for example, viewing someone else’s personal data for personal interest or curiosity, constitutes unlawful processing and thus a violation of data protection legislation. Even if an employee is given technical access to personal data, this does not necessarily mean that they also have the right to view it. Viewing the data is only permitted if it is necessary for the performance of a specific work task.
To prevent illegal access to personal data, organizations must establish clear rules for managing access rights, access audit systems, and other measures to secure personal data. However, rules and technical measures are not sufficient without regular training for employees who work with personal data on a daily basis.
The protection of fundamental human rights and respect for individual privacy is particularly crucial in healthcare and other institutions that process sensitive personal data. Any unauthorized access can have serious consequences both for the individuals whose data has been unlawfully processed, as well as for the offenders, who may face legal sanctions, as well as for the reputation of the controller.