The NCPDP received a complaint from a data subject, requesting the verification of the legality processing of his personal data, manifested by the transmission, by a district health center, of information on his health, in the address to a lawyer, who would subsequently present them at the court hearing, considering that through these actions his private and family life had been harmed.
According to Law no. 133/2011 on personal data protection, data on patient health, results of investigations, diagnosis, prognosis, treatment, entered in the medical documentation of a patient, constitute special categories of personal data, these having an increased level of protection.
In this context, when examining the case, NCPDP took into account the provisions of Law no. 133/2011 on personal data protection, order in which, in the light of art. 6 and 7 of the Law on personal data protection, the processing of personal data on health status would be allowed only if personal data subject has given his consent or one of the following situations has occurred:
– processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law, providing safeguards set by law, as well as taking into account that possible disclosure of the personal data processed for this purpose to a third party may take place only if there is an appropriate legal obligation of the controller, therefore;
– processing is necessary to protect the life, physical integrity or health of the personal data subject or of another person where the data subject is physically or legally incapable of giving his consent;
– processing relates to data which are voluntary and manifestly made public by the personal data subject;
– processing is necessary to establish, exercise or defend of legal claims of the personal data subject;
– processing is necessary for the purposes to ensure national security, of reducing the risk of unleashing or in case of triggering public health emergencies where the processing is unlikely adversely to affect the rights of personal data subject and the other appropriate safeguards provided for in this law.
Alternative, art. 29 para. (1) of Law no. 133/2011 on personal data protection, establishes the obligation of controllers and third parties who have access to personal data to ensure the confidentiality of those data, except where:
a) processing relates to data which are voluntary and manifestly made public by the personal data subject;
b) personal data are rendered anonymous.
In accordance with the provisions mentioned above, art. 14 of the Health Care Law, states that doctors, other health care workers, pharmacists are obliged to keep secret the information regarding the disease, the intimate and family life of the patient, except the cases of danger of spread of communicable diseases, at the motivated request of the criminal investigation bodies or of the courts.
Also, the provisions of Law on the rights and responsibilities of the patient 263/2005 which contains special legal rules aimed at strengthening fundamental human rights in the health care system, ensuring respect for the dignity and integrity of the patient, and based on the nature of sensitive health data, establishes strict conditions for their disclosure. It will be emphasized that patient health data, by their nature, may present a risk for data subjects when are processed and therefore require increased protection. These data are subject to a prohibition principle and there must be a limited number of circumstances in which such processing is lawful. At the same time, the confidentiality of medical data is a professional secret, which is a form of the right to respect for privacy. Prohibition of the disclosure of medical information, classified as confidential, is necessary to ensure that medical institutions ensure the patient’s right to privacy.
In this regard, given the content of the medical certificate issued to the lawyer, NCPDP found that the disclosure of information on the nature of data subject’s diseases, which represents data on health, time of treatment, and date of the last visit to the health center, took place contrary to the legal provisions mentioned above and the principles of personal data processing provided in art. 4 para. (1) let. a) and b), as well as art. 6, 7 and art. 29 of Law no. 133/2016 on personal data protection, an action classified within the contravention norm provided by art. 741 para. (4) Contravention Code.
Following the examination of the case, NCPDP issued the decision regarding the violation of the principles of personal data processing and concluded the report on the contravention, being referred to the court and as a result the person in charge of the district health center was found guilty of committing the contravention provided by art. 741 para. (4) Contravention Code.
Taking into account the provisions of art. 53 of the Law on Advocacy, in conjunction with art. 5 para. (5) of the Law on personal data protection, the request for information by a lawyer is a right and not an obligation of a lawyer. Respectively, it cannot be retained as the legal basis of the data controller – district health center, for the disclosure of personal data concerning the personal data subject, as long as the processing was not necessary for the express fulfillment of an obligation directly to the controller according to the law, the representative of the entity being obliged to ensure the confidentiality of personal data.
However, the NCPDP notes that, in a trial, in order to avoid a serious violation of the principles of personal data protection by their unauthorized disclosure, the resolution of requests for access to personal data on health status will be achieved taking into account the provisions of art. 118 Code of Civil Procedure, according to which the circumstances that are important for the fair settlement of the case are definitively determined by the court based on the claims and objections of the parties and other participants in the trial, as well as the following material and procedural law to be applied.
Respectively, the parties or other participants in the trial may address to the court (judge), pursuant to art. 119 Code of Civil Procedure, a request for evidence, and the judge, analyzing the reasons invoked in the request for evidence and assessing the proportionality of the volume of information for solving the civil case, will request the necessary evidence from organizations and individuals.
The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.