Prior to the case of “I” v Finland, the applicant (“I”) had started her complaints procedure with local Country Administrative Board.
In its decision of 20 October 1997 the County Administrative Board held that:
“Section 12 of the Patient’s Status and Rights Act (laki potilaan asemasta ja oikeuksista, lag om patientens ställning och rättigheter) provides that the health authorities and staff have to comply with the regulations issued by the Ministry for Social Affairs and Health (sosiaali- ja terveysministeriö, social- och hälsovårdsministeriet, “the Ministry”) when preparing and processing patient records. Pursuant to this section the Ministry has issued, on 25 February 1993, Regulation no. 16/02/93.
In the said Regulation it is noted that patients records must be prepared having due regard to the secrecy regulations and the protection obligation and the duty to take care pursuant to the Personal Files Act (henkilörekisterilaki, personregisterlagen; Act no. 471/1987). According to the duty to take care, precaution and good registering practices must be observed when gathering, depositing, using and delivering data and these must be done in a manner so as not to infringe unnecessarily the right to privacy of the registered person or his or her benefits and rights. The protection obligation means that data in patient records must be duly protected against unauthorised processing, use, destruction, amendment and theft (sections 3 and 26 of the Personal Files Act).
In the said Regulation it is also noted that the patient records must form an entity to ensure that outsiders cannot gain unauthorised access to them and that, in addition to the said obligations, in accordance with the Personal Files Act, the purpose of use of the said data can be taken into account. This way it can be made sure that requisite patient data are only given to the personnel participating in the treatment of the patient.
[The applicant] has in her representations alleged that [X], who is working for [the hospital] has ordered up the case history of [the applicant’s ex-husband] and that someone else has ordered up her file or visited the archives and read her file and/or that of [her son] and that the data have been transmitted to [Y] and other staff mentioned in [the applicant’s] representations.
[X] has contested having proceeded erroneously. The other persons mentioned in [the applicant’s] representations have contested having had knowledge of the data mentioned therein concerning [the applicant] and her family.
According to the director in charge of [the hospital’s] archives it is not possible to retroactively clarify the use of patient records. The data system reveals only the five most recent consultations (by working unit and not by person) but this information is deleted once the file has been returned to the archives.
Therefore, the County Administrative Board cannot further rule on whether information contained in the patient records has been used by or given to an outsider.
Having regard to the foregoing, the County Administrative Board however finds that the system should record any consultation of patient files as a safeguard of privacy in order to ensure that the responsibility for a possible leak of information can be individualised. For the future, the County Administrative Board draws the hospital’s attention to the protection obligation and the duty to take care provided by the Personal Files Act, and further, to the need to ensure that privacy protection is not put at risk when processing medical data within the hospital. …”