A hacker accessing personal data or an employee leaving a confidential list with patient data in its shopping cart are very obvious examples of personal data breaches under the GDPR. However, less obtrusive examples of personal data breaches may fly under the radar due to companies not recognizing them as personal data breaches. Last week, a Dutch hospital encountered a less recognizable personal data breach, namely accidental deletion of data. Lessons can be learned from this personal data breach.
By Cécile van der Heijden
The Albert Schweitzer hospital has accidentally overwritten (older) digital documents in patient files, causing the hospital not to comply with its legal retention obligation of retaining data in patient files for a minimum of 20 years. The issues were caused by a switch from paper archives to a digital archives. Due to incorrect settings, new documents that were included in the archive were given identical document names as older documents, thus replacing the older inactive documents, causing accidental destruction of the older documents. As no paper or other digital copies of these files were available, deletion of the original archive files constitutes a personal data breach. After all, article 4(12) expressly defines a personal data breach as, among other things, a breach of security leading to an accidental destruction of personal data. Clearly in this case, the hospital has not applied adequate technical measures to ensure the safety of the personal data in the archive. An adequate measure would have been protecting the archive against overwriting of documents.
Unfortunately, the hospital only discovered the mistake after a full year as the archive data was not pursued correctly, leading to accidental deletion of over half a million documents. The personal data breach has been reported to the Dutch supervisory authority, the Autoriteit Persoonsgegevens.
Personal data breaches are a nightmare for every company handling sensitive personal data due to the hassle it causes and the (potential) legal consequences, but also due the reputation damage a personal data breach can cause. A lesson that can be learned from the personal data breach at the Albert Schweitzer hospital shows that it can be worthwhile to pay regular attention to the state of archives and back-ups to ensure the safety of the personal data involved, particularly where it is the intention to store the personal data in the long term.
About. This blog is written by Cécile van der Heijden, an attorney-at-law specialized in EU data protection law and healthcare law in the life sciences sector and Floris van der Laan, a paralegal with interest in technology and its connection to EU privacy and data protection law. Both are based in Amsterdam, the Netherlands.
This blog is written with the intent to provide interesting updates about legal developments in the life sciences sector and to share thoughts about legal aspects of data protection law and life sciences specific legislation.
DISCLAIMER. This blog is written strictly on a personal title and does not reflect the opinion of our employer. Posts on this blog, including reactions and comments from authors, cannot replace legal advice and do not lead in any manner to an attorney/client relationship. If you would like to seek legal advice from us, please reach out to us via: firstname.lastname@example.org