Personal data security at the Landspítali Department of Clinical Microbiology unit located at deCode genetics´ premises
The Data Protection Authority (DPA) has completed its audit of personal data security at the Landspítali Department of Clinical Microbiology unit located at deCode genetics´ premises from August 2020 to February 2021. The DPA concludes there is no evidence that the security of personal data processed at deCode genetics´ premises has been inadequate. However, the DPA also concludes that the assessment of the impact of relocation for the protection of personal data did not meet the requirements of data protection legislation.
The DPA´s audit was initiated when a Landspítali Head of Department stated at a Department of Civil Protection and Emergency Management information meeting on 13 August 2020 that the hospital planned to relocate part of its Department of Clinical Microbiology operations to the premises of the genetics research company deCode genetics. This would be done to increase screening capacity for the virus that causes the COVID-19 disease.
In Landspítali's reply, it was stated that before screening for COVID-19 began at the Icelandic border on 15 June 2020, the Directorate of Health carried out an impact assessment of the proposed measures on personal data protection. This assessment underpinned the Landspítali Department of Clinical Microbiology´s relocation to the premises of deCode genetics from August 2020 to February 2021.
The DPA´s decision concludes that the processing in the above assessment is not comparable to the personal data processing in question in this case. The DPA particularly took into consideration the nature of deCode genetics employees´ access to the personal data processed. During the border screening, which began in the summer of 2020, the company's employees only had access to sample numbers when analysing test samples, according to the original arrangement. When a unit from the Landspítali Department of Clinical Microbiology was relocated to the company's premises, deCode genetics employees acquired additional access to the names of individuals who had tested positive in border screenings via its Virlab system. Test samples taken at health care centres, so-called symptomatic samples, also had a code which could be traced back to an individual in the same system. Therefore, it is the DPA´s conclusion, that the assessment underpinning the relocation did not meet the requirements of data protection legislation and that a new impact assessment on personal data protection should have been carried out before the Landspítali Department of Clinical Microbiology unit was relocated to deCode genetics' premises.
It is also the conclusion of the DPA that there is no evidence that the security of the personal data processed at deCode genetics´ premises did not meet the requirements of data protection legislation. This is because access control was in place to the company´s Virlab system, but only three employees, involved in needs analysis for its design, programming and making the necessary updates, had access to the system.
Reykjavík, 23 November 2021
Reference: 2020112772/GRB
Decision
On 23 November 2021, the Data Protection Authority (DPA) made the following decision in case no. 2020112772:
I.
Procedure
1.
Initiation of investigation
On 13 August 2020, […], a Landspítali Head of Department, stated at a public meeting of the Department of Civil Protection and Emergency Management that the hospital planned to relocate part of the activities of its Department of Clinical Microbiology to the premises of the genetic research company deCode genetics, to increase capacity for screening for the virus that causes the COVID-19 disease. The relocation was being prepared and software was being adapted.The statement prompted the DPA to write to Landspítali on August 14 2020, stating legal provisions on the responsibility of the data controller, data protection by design and by default and security requirements for personal data processing. The letter also requested clarification, as discussed in Chapter I.2 below with the hospital's replies. The DPA requested that a reply from the hospital be received before the Department of Clinical Microbiology began its planned processing activities at deCode genetics´ premises. Finally, the DPA´s advice or consultation on planned security measures for personal data processing by the hospital within deCode genetics´ premises, was offered if required.
The DPA sent the letter again by e-mail on 4 September 2020, as the Authority had then not yet received the requested reply from Landspítali, although it had received information from the hospital on 28 August of the same year that the above relocation had already taken place. The DPA reiterated its request a second time by letter dated 7 September of the same year.
2.
Replies on behalf of Landspítali
In Landspítali's reply, dated 11 September 2020, the hospital apologises for not responding earlier, but that the relocation had been decided upon with speed to react to the situation that had arisen in relation to testing capacity.In the letter, Landspítali stated that according to Article 5 of Act No. 19/1997 on Health Security and Communicable Diseases, the Chief Epidemiologist is responsible for planning and coordinating communicable disease control as well as maintaining a register of communicable diseases to monitor the spread of infectious diseases. Landspítali also stated that the hospital conducted border and domestic screenings on behalf of the Chief Epidemiologist based on a processing contract, dated 21 December 2015, which authorises Landspítali to employ sub-processors.
When it became clear that Landspítali's Department of Clinical Microbiology would be solely responsible for screening for the COVID-19 disease, the Department did not have the facilities needed to process the number of tests to be taken daily. Therefore, the decision was made to seek the assistance of deCode genetics. This was a temporary measure, consisting of the Department of Clinical Microbiology having facilities on the company's premises and use of its equipment while the Department's own facilities were being improved.
Regarding individual questions from the DPA, Landspítali's replies are as follows, questions appearing before replies on individual issues:
1. "Has an impact assessment on data protection been carried out in accordance with Article 35 of Regulation (EU) 2016/679 on personal data protection, cf. Article 29 of Act No. 90/2018? If so, what was its conclusion? "
Landspítali stated that before border screenings, carried out by deCode genetics, began in summer 2020 an impact assessment on data protection had been carried out by the Directorate of Health. The assessment took account of equipment and systems used in the screening. The processing temporarily taking place on deCode genetics´ premises was comparable to the processing discussed in that assessment, and it was therefore not considered necessary to carry out a new impact assessment on personal data protection.
A processing contract, dated March 12 2020, is in place between Landspítali and deCode genetics on the analysis of test samples and the processing of personal data accompanying this.
Landspítali also stated in its reply that the temporary arrangement now in place replaced an arrangement, where testing and analysis of samples was entirely in the hands of deCode genetics employees, with an arrangement where processing was solely in the hands of Landspítali employees. It could therefore be argued that Landspítali, as processor for the Chief Epidemiologist, was in a better position than before to ensure full personal data protection in all processing of test samples and that therefore the risk associated with this arrangement could be considered lower than with the previous arrangement.
2. "Where will biological samples taken during Landspítali's Department of Clinical Microbiology´s screening at deCode genetics´ premises be stored and who is responsible for their security?"
Landspítali stated that biological samples would be stored in refrigerators located inside deCode genetics´ laboratory, where the Department of Clinical Microbiology had facilities and recorded test samples.
Biological samples taken at the border were identified by a code which could be traced back to an individual in a system run by the Directorate of Health. If any positives were detected, data on name and ID number would be entered into deCode genetics´ Virlab system, but that data was only accessible to three company employees who needed access due to their work. The data was also passed on to the Chief Epidemiologist, the COVID-19 outpatient ward at Landspítali and the Department of Civil Protection and Emergency Management´s tracking team, so that necessary action could be taken.
Test samples taken at the Health Care Centre of the Capital Area, or at other health care centres, i.e. samples not part of the border screening, so-called symptomatic samples, were also identified by a code, but that code could be traced back to an individual in the Virlab system. This would be in line with the procedure normally followed when the Department of Clinical Microbiology analysed samples for health care centres. Such an arrangement expedited notification to the person concerned of the result of the test, but the person in question was obliged to be in isolation while waiting for the results of the test. It would have been onerous for individuals who came for testing due to symptoms to wait unduly for a result.
The Virlab system was access-controlled and only ID numbers and results were recorded. Other data, such as patient symptoms and background, were not recorded. All negative test samples were to be destroyed after a conclusive result was obtained. Department of Clinical Microbiology employees were responsible for ensuring that handling and storage of test samples was correct. According to the current processing contract, deCode genetics as sub-processor of Landspítali, ensured adequate security in consultation with the hospital and the Chief Epidemiologist.
3. "How will the activities of the Landspítali Department of Clinical Microbiology, which is to take place at deCode genetics premises, be kept separate from the company´s activities?"
Landspítali stated that the hospital had its own employees on deCode genetics premises who worked on the analysis of the test samples. The company's employees did not play a role in the analysis in any way other than to supervise the equipment and tools that the Landspítali Department of Clinical Microbiology used and to assist with these if needed. The supervision of a deCode genetics employee was important to ensure that the equipment worked properly. Other deCode genetics employees had access to laboratories and refrigerators but were not authorised to handle the test samples.
4. "How will access management be handled?"
Landspítali stated that deCode genetics employees who needed access to laboratories and the Virlab system due to their work had that access. The same applied to the Landspítali Department of Clinical Microbiology employees. Others did not have access.
5. "What instructions have employees received or will receive regarding personal data protection?"
Landspítali stated that all those who begin work at the hospital receive a special induction training where they are informed of the duty of confidentiality that rests on them by law. There are also procedures in place regarding security that are accessible and have already been introduced to the Department's employees.
3.
Decision on audit - further communication between the parties
The DPA notified the Directorate of Health, Landspítali and deCode genetics, by letter dated 17 November 2020, that it had decided to carry out an audit of the processing of personal data by the Landspítali Department of Clinical Microbiology unit located at deCode genetics´ premises to confirm whether the processing arrangements were as stated in Landspítali's replies and how the security of the data was ensured. In the letter, the DPA requested that Landspítali send information prepared on the personal data processing taking place on deCode genetics´ premises, including procedures which may have been introduced, documentation of data security and a record of processing activities, in accordance with Article 26 of Act No. 90/2018.On December 7 2020, the DPA received the requested information from Landspítali. The attached letter from the hospital stated that the information had been prepared by the hospital and deCode genetics.
An e-mail from deCode genetics to the DPA, dated 11 December 2020, stated that the company interpreted the DPA's message dated November 17 of the same year, to be substantially directed to Landspítali, although various data on the processing that the company had prepared were relevant. It stated that deCode genetics was in possession of Landspítali´s reply, dated December 7 of the same year, and that the hospital´s reply mirrored their own.
On 24 February 2021, the DPA was informed by Landspítali via e-mail that the hospital's Department of Clinical Microbiology, which had been based at deCode genetics´ premises, had moved back to the hospital on 22 February 2021.
On March 29 2021, the DPA sent a letter to Landspítali requesting information on whether its Data Protection Officer had been involved in the relocation of the hospital's Department of Clinical Microbiology operations to deCode genetics´ premises. Landspítali's reply letter dated 7 April of the same year indicated that the DPA's request had been understood to involve the hospital's Data Protection Officer´s role in the relocation of the Department of Clinical Microbiology from deCode genetics´ premises back to the hospital. The DPA therefore reiterated its request by e-mail on the 20 of the same month. Landspítali replied by e-mail, dated May 5 2021, stating that the hospital´s Data Protection Officer had not been consulted on the relocation of the Department of Clinical Microbiology to deCode genetics´ premises before it took place.
4.
Further communication
The DPA again sent a letter to Landspítali on 22 June 2021 requesting further explanation of the hospital's replies outlined in Chapter I.2 above. In Landspítali's reply letter to the DPA, dated September 1 of the same year, the hospital replied as follows to the DPA´s questions:1. "What risks were present when analysis of test samples was carried out entirely by the staff of deCode genetics?"
Landspítali stated that the hospital had not carried out a special risk assessment when the hospital's Department of Clinical Microbiology was relocated to deCode genetics. The hospital referred to the fact that an impact assessment on personal data protection had been carried out by the Directorate of Health, in the run-up to border screenings in the summer of 2020.
2. "What security measures were taken to reduce that risk?"
Regarding this, Landspítali referred to its reply to question 1.
3. "What were the remaining risks?"
Regarding this, Landspítali referred to its reply to question 1.
4. "What was the purpose of deCode genetics employees' access to the company's Virlab system in relation to test samples taken at the border, i.e. what was entailed in their access? "
Landspítali stated that three deCode genetics employees, who were responsible for and managed human resources at the company's laboratory, had access to the Virlab system. They were responsible for ensuring that the processing of the test samples was in accordance with legal requirements and quality standards made of the company's laboratory, including the ISO 9001 quality standard. The Virlab system was designed by deCode genetics and was customised for this project. The three employees in question had been involved in the needs analysis for the design of the Virlab system, its programming and the making of necessary updates. The results of the test samples were sent from the system to the Directorate of Health after sample numbers had been linked to the names and ID numbers of patients.
5. "How many deCode genetics employees had access to the company's Virlab system when it came to so-called symptomatic test samples and for what purpose, i.e. what was entailed in their access? "
Landspítali stated that the three employees mentioned in the hospital's reply to question 4 had access to the Virlab system and for the same purpose as specified therein. The processing in the deCode genetics laboratory was the same, whether it was a test sample taken at the border, a symptomatic sample, or a quarantine sample.
6. "Why was it considered necessary for deCode genetics employees to have access to a system that stored data subjects´ personal identifiers, as their access had been limited to sample numbers only when the company performed analysis of test samples taken at the Icelandic border from 15 June 2020?"
Landspítali stated that all test samples analysed by deCode genetics had been scanned into the Virlab system, whether they were taken at the border, were symptomatic samples or quarantine samples.
7. "How many deCode genetics employees had access to equipment and tools that the Department of Clinical Microbiology employees used in their analysis of test samples?"
Landspítali stated that about ten of the company's employees had access to equipment and tools, but only the three company employees mentioned in answers 4 and 5 had access to the Virlab system.
II.
Criteria and conclusion
1.
Delimitation of the case – Scope of application
The DPA´s discussion below is focused solely on whether the security of COVID-19 patients' personal data was ensured when a unit of Landspítali's Department of Clinical Microbiology was relocated to the premises of deCode genetics, and not whether there was sufficient authorisation for the processing of the personal data in question.In this respect, the case falls within the scope of Act No. 90/2018 on Data Protection and the Processing of Personal Data and Regulation (EU) 2016/679, as defined in Article 4(1) of the Act, cf. Article 3(2) and (4) of the Act and Article 4(1) and (2) of the Regulation. According to Article 39(1) of the Act, the case furthermore comes under the authority of the DPA.
The discussion focuses firstly on whether the impact assessment on data protection which underpinned the relocation in question was satisfactory and secondly, on whether the security of the data complied with the requirements of Act No. 90/2018.
2.
Controller - Processor - Processing contracts
The party responsible for the processing of personal data complying with Act No. 90/2018 is named the controller. According to Article 3(6) of the Act, this refers to a natural or legal person, public authority or other body which determines, alone or jointly with others, the purposes and means of the processing of personal data, cf. Article 4(7) of the Regulation.The controller has an obligation to ensure that processing takes place in accordance with Act No. 90/2018 and Regulation (EU) 2016/679. Part of ensuring this is that the processor conducts processing in accordance with the instructions of the controller. Those instructions are required, according to Article 28(3) of the Regulation, to be governed by a contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
The Chief Epidemiologist is required, according to Article 5(1) of Act No. 19/1997 on Health Security and Communicable Diseases, to keep a register of communicable diseases. Its purpose is to gather detailed data on the diagnosis of communicable diseases from laboratories, hospitals, and physicians. Its purpose is also to be of use in preventive measures and in epidemiological research, cf. Article 3 of the Act on Health Security and Communicable Diseases. According to Article 4(1) of the Act on Health Security and Communicable Diseases, the Directorate of Health shall be responsible for the implementation of communicable disease control and prevention and according to Article 4(2), the Directorate of Health shall employ a Chief Epidemiologist who shall be responsible for health security. The Chief Epidemiologist thus works at the Directorate of Health and is the controller for all the data that is processed in connection with work in relation to the Act on Health Security and Communicable Diseases. In this case, the Chief Epidemiologist is therefore considered to be the controller for the processing in question.
The controller may entrust another party with the processing of personal data on his behalf. This party is the processor, according to Article 3(7) of Act No. 90/2018 and Article 4(8) of Regulation (EU) 2016/679, i.e. a party that processes personal data on behalf of the controller, but a special agreement shall be made with such a processor in accordance with Article 25(3) of the Act and Article 28(3) of the Regulation. The Chief Epidemiologist has made an agreement with Landspítali to process personal data, for which he is the controller, and the hospital is the processor as far as that processing is concerned, cf. parties' processing contract, dated December 21 2015.
According to Article 25(2) of Act No. 90/2018, cf. Article 28(2) of the Regulation, the processor may engage another processor, often referred to as a sub-processor, if he has a specific or general written authorisation from the controller. A contract was made between Landspítali and deCode genetics, dated March 12 2020, where Landspítali entrusts deCode genetics with processing deriving from Landspítali's obligations in its processing contract with the Chief Epidemiologist. More specifically, it stipulates that deCode genetics' processing of personal data for Landspítali involves collection of and screening for the COVID-19 virus in biological samples that the company collects itself or receives from the hospital. deCode genetics is therefore a sub-processor in the sense of the above Article, as there is written authorisation in the processing contract between the Chief Epidemiologist and Landspítali to the effect that Landspítali can use such a party in the implementation of the processing.
The parties' processing contracts will not be examined further in this context, but it should be noted that they are discussed in the DPA´s decision dated 23 November 2021 on the processing of personal data in connection with screening for the SARS-Cov-2 virus and antibodies to it (2020061954), as well as in the DPA's decision, dated the same day on obtaining consent from COVID-19 patients for the use of blood samples for the research study Epidemiology of the SARS-CoV-2 virus and the effect of genetics and underlying diseases on the COVID-19 disease it causes (2020061951).
3.
Principles for the processing of personal data
All processing of personal data must comply with the principles of Article 8(1) of Act No. 90/2018, cf. Article 5(1) of Regulation (EU) 2016/679. Article 8(6) of the Act states that personal data shall be processed in a manner that ensures appropriate security of the data. The above principles are explained further in other provisions of the Act, which further detail their meaning. This case tests provisions on the principle of security of personal data in Article 8(1)(6) of Act No. 90/2018, i.e. provision on impact assessment of the protection and security of personal data. These provisions are discussed in Chapters 4 and 5 below.
4.
Assessment of impact on personal data protection
Article 29(1) of Act No. 90/2018, cf. Article 35(1) of Regulation (EU) 2016/679, stipulates that the controller shall assess the impact of the envisaged processing operations on the protection of personal data before the processing takes place, if it is likely to result in a high risk to the rights and freedoms of natural persons, considering the nature, scope, context, and purposes of the processing. Where a data protection impact assessment indicates that processing would result in a high risk, in the absence of measures taken by the controller to mitigate the risk, the controller shall consult with the DPA prior to processing, cf. Article 30 of Act No. 90/2018, cf. Article 36 of the Regulation. Where the DPA is of the opinion that the intended processing would breach Regulation (EU) 2016/679, in particular where the controller insufficiently identifies or mitigates risk, the DPA shall provide written advice to the controller and, where applicable, to the processor and may use any of its powers referred to in Articles 41 to 43 of the Act, cf. Article 58 of the Regulation.On 11 June 2020, the Directorate of Health requested by e-mail prior consultation with the DPA in connection with communicable disease control measures at the Icelandic border from the 15th of the same month. Attached to the e-mail was an impact assessment on personal data protection due to the proposed measures, a draft e-mail that passengers on their way to Iceland would receive after completing the pre-registration form, where they would decide whether they were going to be tested or quarantined upon arrival in Iceland and an image overview of main systems and the flow of information between them. A copy of Regulation 580/2020 on quarantine, isolation and testing at the Icelandic border due to COVID-19 was also attached. The DPA received an updated impact assessment on personal data protection on 12 June 2020 and additional information by e-mail on 14 June.
The Directorate of Health stated that the analysis of the samples of those who would choose to test at the border was to be carried out under the control of the Landspítali Department of Clinical Microbiology, in accordance with a contract with the Chief Epidemiologist. deCode genetics was then to analyse test samples in accordance with a contract with the hospital's Department of Clinical Microbiology. Staff involved with the analysis of samples only had access to data about sample number but no personal data on the passenger in question. All samples were to be destroyed as soon as possible after the result was available, cf. Article 4(7) of the Regulation on quarantine, isolation and testing at the Icelandic border due to COVID-19. Positive samples might, however, if necessary, be sent for further analysis for clinical purposes. When the result was available, it would be sent to the register of communicable diseases and the number of the sample in question linked to the registered passenger. Information on a negative result was to be automatically deleted from the register of communicable diseases 14 days after it was available.
The DPA provided the Directorate of Health with advice by letter dated June 14 2020. The letter stated the DPA´s assessment that the processing of personal data, which the communicable disease control measures at the Icelandic border would entail, as described in the Directorate of Health's letter, would not breach Act No. 90/2018 or Regulation (EU) 2016/679. It was also the DPA´s assessment that the assessment of the impact on personal data protection in question showed clearly that an attempt had been made to restrict personal data to be processed to the extent possible, as well as access to that data.
The question arising here is whether the processing covered by the above assessment of impact on personal data protection, is comparable to the processing of personal data in Landspítali's Department of Clinical Microbiology unit that was relocated to deCode genetics premises. To determine this, account is taken of the difference in deCode genetics employees´ access to the personal data processed. During the border screening, which began on 15 June 2020, the company's employees, according to the original arrangement, only had access to sample numbers when analysing samples. The context in the case under review here is that samples taken at health care centres, i.e. so-called symptomatic samples, were identified by a code which could then be traced back to an individual in deCode genetics´ Virlab system. The names and generated ID numbers of the individuals who had been identified as positive in border screenings were also registered on the same system, which was accessible to three of the company's employees.
In view of the fact that deCode genetics employees gained access to the personal data of COVID-19 patients when a unit of Landspítali's Department of Clinical Microbiology was relocated to the company's premises, it is the DPA´s assessment that the processing the above impact assessment covers is not comparable to the processing under consideration here.
In accordance with the above, it is the assessment of the DPA that a new assessment of the impact on personal data protection should have been carried out, cf. Article 29(1) of Act No. 90/2018 on Data Protection and the Processing of Personal Data, cf. Article 35(1) of Regulation (EU) 2016/679, before part of Landspítali´s Department of Clinical Microbiology activities were relocated to the premises of deCode genetics.
5.
Security of the data at deCode genetics´ premises
The controller of the processing of personal data shall take appropriate technical and organisational measures, considering i.a. the nature and scope of the processing as well as the risks for the rights and freedoms of data subjects to ensure and to be able to demonstrate that processing is performed in accordance with the requirements of Regulation (EU) 2016/679, cf. Article 24(1) of the Regulation.Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks, of varying likelihood and severity, for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect the rights of data subjects, cf. Article 25(1) of the Regulation.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies i.a. to the accessibility of the personal data. Such measures shall ensure that by default personal data are not made accessible without the individual´s intervention to an indefinite number of natural persons, cf. Article 25(2) of the Regulation.
With reference to the same considerations as above, appropriate technical and organisational measures to ensure a level of security appropriate to the risks shall be taken, such as the use of pseudonymisation or encryption of personal data. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, e.g. unauthorised disclosure or access to personal data, cf. Article 32(1) and (2) of the Regulation.
It is the DPA´s opinion that in assessing the nature of the processing of the personal data in question and the risk to the data subjects, it is important that their health data was being processed inside the premises of a party other than the controller.
In view of the above provisions, the nature of the processing in question and the risks involved in it for the data subjects, it was extremely important that the Chief Epidemiologist ensure the security of the personal data processed on his behalf inside deCode genetics´ premises. For this purpose, it would have been necessary to control i.a. access to the data so that it would not be made accessible to those who should not have such access.
Landspítali's reply recounts that there was access control to deCode genetics´ Virlab system, which stored the personal identifiers of the data subjects. Only three of the company's employees had access to the system and they required this access due to their work as they were involved in the needs analysis for its design, programming and making necessary updates. They were responsible for ensuring that the processing of the samples was in accordance with legal requirements and quality standards placed on the company's laboratory, e.g. the ISO 9001 quality standard.
From Landspítali's reply and the available data in the case, it cannot be concluded that the security of the personal data was insufficient, but it must be emphasised that a new assessment of the impact on personal data protection should have been carried out. This is with a view to the above legal provisions on the responsibility of the controller, data protection by design and by default and security in the processing of personal data.
6.
Summary of conclusion
It is the DPA´s conclusion that the assessment of the impact of the proposed processing on personal data protection, used to underpin the relocation of a unit of Landspítali's Department of Clinical Microbiology to the premises of deCode genetics, did not meet the requirements of Act No. 90/2018, cf. Regulation (EU) 2016/679.It is also the DPA´s conclusion that there is no evidence that the lack of appropriate technical and organisational measures have resulted in the security of personal data not meeting the requirements of Act No. 90/2018, cf. Regulation (EU) 2016/679.
In this regard, it should be emphasised that the DPA´s role is i.a. to monitor the implementation of legislation on the processing of personal data, cf. Article 39(1) of Act No. 90/2018, and the Authority may address individual cases and decide on its own initiative, cf. Article 39(3) and Article 41(2) of the Act, cf. Article 58(1)(b) of Regulation (EU) 2016/679.
The controller is obliged to provide the DPA with all the information the Authority needs for the implementation of Act No. 90/2018 and Regulation (EU) 2016/679, cf. Article 41(1) of the Act, cf. Article 58(1)(a) of the Regulation.
As stated at the beginning of this opinion, the DPA requested by letter on August 14 2020 that Landspítali's replies be received before the planned relocation of Landspítali's Department of Clinical Microbiology to the premises of deCode genetics took place. Despite this request, the Authority only received the requested replies from Landspítali after the relocation in question had taken place and after reiterating the request another two times. It is the DPA´s opinion that this is highly reprehensible, in view of the Authority's supervisory role.
The DPA points out that Act No. 90/2018 and Regulation (EU) 2016/679 apply to the processing of personal data and that legislation must be complied with despite a global pandemic, as stated in the Statement of the European Data Protection Board (EDPB) on the processing of personal data in the context of the COVID-19 outbreak, issued on March 19 2020.
However, the DPA is also aware of the threat posed by the COVID-19 disease in Icelandic society since the beginning of the epidemic and the pressure Icelandic health authorities have been under. In view of these special circumstances, a fine has not been imposed in this case, cf. Article 47(1) of Act No. 90/2018.
D e c i s i o n:
The assessment of impact on personal data protection, which was carried out by the Directorate of Health, and underpinned the relocation of a unit of Landspítali's Department of Clinical Microbiology to the premises of deCode genetics, did not meet the requirements of Act No. 90/2018, cf. Regulation (EU) 2016/679.The Data Protection Authority, 1. March 2022
Ólafur Garðarsson
Chair
Björn Geirsson Sindri M. Stephensen
Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson