Finland in breach of Article 8
The European Court of Human Rights said in a judgment on Thursday that Finland had failed to protect the confidentiality of patient information and ordered the state to pay a nurse about 14,000 euros in damages and 20,000 euros in costs.
The nurse worked in a public hospital on fixed-term contracts between 1989 and 1994 and paid regular visits to the same hospital’s infectious diseases clinic from 1987, having been diagnosed with HIV. In 1992, it transpired that her colleagues at the hospital’s ophthalmic department had had access to her patient records. Three years later, her contract was not renewed.
The Strasbourg court found unanimously that the district health authority, by failing to establish a system from which the nurse’s confidential patient information could not be accessed by staff who did not treat her, had violated article 8 of the European Convention of Human Rights, which says “everyone has the right to respect for his private and family life, his home and his correspondence”.
The Court notes that the mere fact that the domestic legislation provided the applicant with an opportunity to claim compensation for damages caused by an alleged unlawful disclosure of personal data was not sufficient to protect her private life.
That bit is important because governments tend to claim of such things that in the unlikely event of a breach of privacy the individual is entitled to claim compensation, and therefore we need not worry about a thing! Of course sometimes no amount of money may compensate for unauthorised disclosure of personal information.
What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here.
I have some sympathy for the Government here, because I can’t see how they could “exclude any possibility of unauthorised access”.
Indeed that is one of my arguments against any system that stores lots of personal data in (essentially) one place and allows a large number of people access to it – that there will always be a risk of unauthorised access.
All we can do is attempt to decrease the risk of unauthorised access, and observe the principle of only storing the data relevant for the purposes for which they are processed in order to mitigate the damage of unauthorised disclosure.