Recorded conversations with 1177 were open on the internet – penalty fee
Recorded conversations with 1177 were open on the internet – penalty fee
After it became known that recorded calls to 1177 were openly available on the internet, the Privacy Protection Authority (IMY) initiated an investigation that resulted in several actors being deemed to have violated the EU’s data protection regulation, GDPR, and were therefore forced to pay penalty fees. One of these actors was Region Värmland, which appealed the Authority’s decision to the Administrative Court. However, the Court found that the region had failed in its processing of personal data and the appeal was rejected.
2.7 million recorded calls relating to healthcare information have been stored on easily accessible server
In 2019, the magazine Computer Sweden publishes an article entitled “2.7 million recorded calls to 1177 Vårdguide completely unprotected online”, prompting IMY to launch an audit. The audit revealed that recordings of telephone medical advice provided by three regions, including the Värmland region, ended up on a completely open server that could be accessed by anyone. What has happened is that Inera, a company owned by, among other regions of Sweden, that works with digitalization in healthcare, has hired the company MedHelp. The latter company is one of the healthcare providers hired by 1177 to provide healthcare advice. MedHelp, in turn, has hired a company based in Thailand to handle calls during weekends and nights. When people call 1177 for advice, their calls have been linked from MedHelp, via switches belonging to a company called Voice, to the company in Thailand. It is on a server belonging to Voice that the recorded calls were found by Computer Sweden. The reason that the audio recordings could be accessed by anyone is that the server has been misconfigured and has not used encrypted communication.
Region Värmland has failed in its obligation to provide information
According to IMY, the fact that personal data has been openly accessible in this way is extremely problematic with regard to the GDPR. Furthermore, there have been many actors involved and the authority’s review of the incident has largely been about sorting out who is responsible for what. The personal data that the regions were responsible for processing turns out to be the callers’ municipality ID and telephone number. Furthermore, IMY considers that the processing carried out by Region Värmland of this personal data was in itself acceptable in accordance with the General Data Protection Regulation.However, the GDPR also provides for a far-reaching information obligation for the operators who process personal data and in this respect Region Värmland has not lived up to the requirements imposed. The obligation to provide information primarily means that persons whose data are recorded must be informed that this is happening and why. IMY therefore decides to impose a penalty fee of SEK 250,000 on Region Värmland in June 2021. However, the region considers that this is an infringement of a less serious nature and that the penalty charge is too far-reaching. The decision is therefore appealed to the Administrative Court with a request that the fee be replaced by a milder sanction, or in any case reduced to a lower amount.
Data obtained from the telephone operator shall be deemed to come directly from the data subject
Initially, Region Värmland claims that IMY based its assessment on the wrong provision in the GDPR. According to IMY, the processing of personal data has taken place in violation of Art. 13 which stipulates what information is to be provided when personal data is collected directly from the data subject, as well as how that information is to be disclosed. Since the data in the case were obtained from the telephone operators of the data subjects and then forwarded to 1177, the Region considers that the data were not collected directly from the data subjects and that it is therefore Article 14 to apply.According to the region, the application of Article 14 means that information needs to be disclosed to data subjects at a later stage than in the case of Article 13.
While acknowledging that accurate information has still not been provided, the Region maintains that the fact that the obligation to provide information later than that claimed by IMY implies that the Authority misjudged the gravity of the situation.
Administrative law states, first of all, that the provisions are broadly equivalent as regards the information to be disclosed and under what circumstances. Thus, according to the Court, it does not make much difference to the assessment which article is used. Furthermore, the Court observes that Article 13 refers to information knowingly transmitted by the data subject and, on the other hand, information obtained through observations of the data subject. According to the Court, the process of forwarding data to 1177 by telephone operators constitutes an observation which may constitute the basis for the application of Article 13. Thus, IMY has not used the wrong provision as a basis for its assessment of the region’s obligation to provide information.
Region Värmland has infringed Art. 13 and 5.1 (a)
Region Värmland also points out that exemptions from the obligation to provide information exist in situations where the data subject already has relevant information on how personal data will be processed. According to the region, care applicants who use a service such as 1177 are likely to assume that their information is passed on and therefore the obligation to provide information should be considered fulfilled.
The Court notes that, although there is an exception in Article 13 (4), the obligation to provide information can be considered fulfilled if the data subject already has relevant knowledge of how his personal data will be processed. However, according to Administrative Law, it is not enough for a person to expect a certain type of processing, but the person concerned must know exactly how the processing of personal data takes place and why. Consequently, the region has not fulfilled its obligation to provide information under Art. 13, which constitutes a violation of the GDPR. IMY also claims that the Region, by not disclosing relevant information, violated the principle of transparency in Art. 5 (1) (a) which stipulates that personal data must be processed in a transparent manner in relation to the data subject. Since it has already been established that the Region has infringed Art. 13, the Administrative Court also considers that the processing of personal data also constituted a violation of the principle of transparency.
Serious infringements and no extenuating circumstances — the penalty fee to be paid
The next question for the court to decide is whether the penalty fee should be levied, and if so, by what amount. According to the region, there are some mitigating circumstances that speak against the imposition of a penalty fee. Firstly, according to Region Värmland, IMY has incorrectly stated that the region does not have contact details for the data controller published on its website. In addition, it is pointed out that 1177 is a very important service for the Swedish healthcare system. The Region therefore considers it unbelievable that providing accurate information regarding the processing of personal data would lead to persons in need of health care information refraining from contacting 1177. Furthermore, the region states that it has not been shown that anyone suffered harm from the lack of information. Finally, it is underlined that, according to the Act on Supplementary Provisions to the GDPR, regions should not normally be subject to penalty charges.
With regard to the fact that contact details are published on the regional website, the Court states that it did not benefit much from the fact that the data subjects were not even informed of the processing of personal data that had taken place.Regarding the objection that persons in need of information would hardly refrain from contacting 1177, even if they had received correct information, the Administrative Court considers that this is rather an aggravating circumstance. The Court points out that 1177 fulfils an important function for Swedish citizens and that it is therefore of greater importance that persons are given the information they are entitled to when using the service. Nor does the court see it as a mitigating circumstance that the region has no knowledge that harm has occurred to someone registered. Instead, the Court argues that the violation of the rights of data subjects in itself means that an injury has occurred. With regard to the claim that regions should not normally have to pay penalty fees due to GDPR infringements, the right confirms that this is indeed the case. In the present situation, however, the Court considers that, in the light of the number of data subjects concerned and the duration of the infringement, a penalty charge should nevertheless be levied in the event of such a serious infringement.The Court’s overall assessment is that there is no reason not to impose a penalty charge, or to calculate that fee differently from what IMY has done. The Administrative Court thus rejects Region Värmland’s appeal.