UK Liberty

Finland in breach of Article 8

Posted in database state, privacy by ukliberty on July 25, 2008

[hat-tip Ross Anderson at Light Blue Touchpaper]

Helsinki Times:

The European Court of Human Rights said in a judgment on Thursday that Finland had failed to protect the confidentiality of patient information and ordered the state to pay a nurse about 14,000 euros in damages and 20,000 euros in costs.

The nurse worked in a public hospital on fixed-term contracts between 1989 and 1994 and paid regular visits to the same hospital’s infectious diseases clinic from 1987, having been diagnosed with HIV. In 1992, it transpired that her colleagues at the hospital’s ophthalmic department had had access to her patient records. Three years later, her contract was not renewed.

The Strasbourg court found unanimously that the district health authority, by failing to establish a system from which the nurse’s confidential patient information could not be accessed by staff who did not treat her, had violated article 8 of the European Convention of Human Rights, which says “everyone has the right to respect for his private and family life, his home and his correspondence”.

The judgement is available online.

The Court notes that the mere fact that the domestic legislation provided the applicant with an opportunity to claim compensation for damages caused by an alleged unlawful disclosure of personal data was not sufficient to protect her private life.

That bit is important because governments tend to claim of such things that in the unlikely event of a breach of privacy the individual is entitled to claim compensation, and therefore we need not worry about a thing!  Of course sometimes no amount of money may compensate for unauthorised disclosure of personal information.

What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here.

I have some sympathy for the Government here, because I can’t see how they could “exclude any possibility of unauthorised access”.

Indeed that is one of my arguments against any system that stores lots of personal data in (essentially) one place and allows a large number of people access to it – that there will always be a risk of unauthorised access.

All we can do is attempt to decrease the risk of unauthorised access, and observe the principle of only storing the data relevant for the purposes for which they are processed in order to mitigate the damage of unauthorised disclosure.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: