Processing sensitive data such as healthcare ones is a risky activity. In the case of violations of rules, Data Controllers can incur into civil, administrative, and in some states even criminal sanctions. Depending on how Apps and services are distributed, Data Controllers can be represented by different figures. For example in the case of mHealth Apps distributed on Marketplaces, the Controller is often the CEO of the company that distributes the app.
Sanctions currently imposed by laws
The current EU Data Protection Directive (Dir. 95/46/EC) defines only generic obligations and does not identify sanctions in case of violations. Such approach leaves to the Member States the decision on implementing the law and defining sanctions (administrative, criminal, civil) to be imposed in case of violations.
In Italy for example, in case of violations (e.g. accidentally destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision a service available to the public) Data Controllers may incur an administrative penalty imposed by the Data Protection Authority or a judge, and will have to compensate the damaged party if they can't prove that they have taken all the necessary measures to prevent it. However, even in the case of accidental violations, authorities can decide to impose sanctions based on the level of damage that has been made.
In the event of a security breach, currently, there are no obligations of notifications to the users.
Proposed fines in General Data Protection Regulation - GDPR
In the new EU data protection law called General Data Protection Regulation (GDPR), that is under approval (by the end of 2015), the obligations for Controllers are defined and detailed in the Art. 22. In the event of unlawful processing of data, the Authorities can impose administrative penalties that can reach up to 2% of the world annual turnover of the company.
The amount of the penalty is calculated based on the following criteria:
- nature, severity, and duration of the infringement;
- intentionality or not of the violation;
- degree of responsibility of the Data Controller and sanctions and that he has received in the past;
- the presence of technical and organizational security measures;
- degree of cooperation with the Authority to remedy the violation.
The ultimate guide on GDPR and HIPAA complianceDownload our FREE eBook now
The penalties may go up to € 500,000 or 1% of the world's gross annual turnover of the company, and will be applied to those who hold one of the following conduct:
- do not provide access to or possibility to correct information from Data Subjects, or do not provide the requested information in a complete and transparent manner;
- do not respect the "right to be forgotten" or cancellation, do not provide mechanisms for compliance with the terms regarding the response to Subjects' requests, or not defines clearly the co-responsibility with third parties for the data processing and sharing;
- do not maintain appropriate documentation;
- do not provide a copy of the data in electronic form or in a form that is impossible to transfer to third parties;
do not comply with the rules on freedom of expression or processing data in employment relations, or conditions to treat with historical, statistical and research. Those who instead commits any of the following violations may be sanctioned up to € 1 million or 2% of the annual turnover worldwide:
acquisition of personal data without a proper legal basis or without consent;
- treatment of special categories of data (for example, health data or regarding the submission of the individual to convictions) in violation of the rules governing that particular type of treatment;
- violations of policies related to profiling;
- do not adopt policies for the internal management of data, or identification of a person liable for treatment;
- to process data in ways obviously not appropriate; failure to timely notify to the supervisory authority and to the Data Subjects of a data breach;
- unlawful use of a seal related to data protection;
- transfer of data to third countries or organizations in the absence of an adequate decision and guarantees;
- not obeying to a prohibition from an authority;
- not obeying to rules on professional secrecy. A novelty of the Regulations that is creating a big debate is the notification in case of the data breach to National Authorities without delays. The responsible Data Controller or Processor must necessarily communicate the nature of the breach, the consequences of the same and the measures proposed and taken to stem the damage. Controllers and Processors shall also notify the Data Subject even only if the breach is likely to cause damage to his private life or there is a risk of violations of his data.
Policy enforcement in Italy in 2014
Inspections of national Data Protection authorities are usually scheduled on a six months basis. It aims at identifying the data processing to be ascertained, and this activity is added to control initiated by reports and complaints received by associations, organizations and individual citizens. In 2014 the authority announced that the administrative penalties have been 577 in total. The main complaints were caused by non-collecting appropriate consents, illegal data processing, missed communications of data breaches to the authorities and users.
If the new GPDR was in force, the investigated parties would be responsible especially for the most serious violations.
Among all violations, 39 were sent to the judicial authorities for criminal behavior. These data show that Data Controllers and Processors have not yet understood the fundamental principles of data protection, or are unable or do not know how to implement administrative and technical required measures.
However, according to several studies published recently, Italians seem enthusiastic about mHealth (78.6% had positive comments about it). If the approval of the "system" is so high, with increasing the number of users, we will have an increased risk of unlucky events such the one occurred in Bologna, where it was found that one million electronic health records had been created without the informed consent of the patients. In that case, the Hospital S. Orsola Malpighi received an administrative penalty. In the case of the hospital in Martina Franca (BR) a fine of 30.000 Euro was imposed for violations, what appears to be the highest fine for a health institution in Italy.
Faced with the increase of sanctions foreseen in the proposed Regulation, anyone processing personal data automatically should equip themselves with systems of policy and security to limit the risk of intrusion and data thefts.
According to latest reports, the attacks to health information systems became one of the top five of the biggest risks for companies (especially smaller ones).
This news should raise awareness of Data Controllers and Processors about data security within their information systems.
The ultimate guide on GDPR and HIPAA complianceDownload our FREE eBook now
- Dynamic IP addresses are now "personal data": why you should care about it (Chino Blog)
- EU General Data Protection Regulation
- Art. 29 Data Protection Working Party - Guidelines on Data Protection Officers
- Handbook on European data protection law
- Activity of the Data Protection in 2014 (Itialian)
- Cosa pensano gli italiani in Rete dell’mHealth (Italian)
- Cyber risk the most serious threat to business
- Cyber attacks major concern for small business owners
- Small firms need cybersecurity companies that can provide affordable solutions
- NIS directive: More cybersecurity for eHealth
- EU Data Protection Supervisor: Opinion 1/2015 on Mobile Health
- ENISA: Security and Resilience in eHealth Infrastructures and Services