“I” v Finland - Data Protection and Privacy

Results:

On 17^th July 2008, at the ECHR (Strasbourg), in the case “I” v Finland the court found against Finland, and awarded  “I” €13,771 in damages and €20,000 in costs. The full court decision,  I v. FINLAND, case no. 20511/03, is available here.

Outline of the Case:

The applicant “I”, now 48, stated that her private medical records were accessed by the other people (as a result of which she possibly lost her job as a nurse).

The access was not recorded, as there was no records of this at the time (around 1992)

The Court decided that as the hospital was controlled by the State, and as such Finland was responsible for the actions there. The court also stated that personal information relating to a patient undoubtedly belongs to his or her private life. Therefore  Article 8, freedom to a private life, is applicable in this case.

The European Court of Human Rights found that a person’s right to respect for their private life (under the ECHR,) may be breached where the State fails to take appropriate steps to secure data, so that it cannot be accessed improperly.

While Article 8 not means the government must not interfere, but may also have to undertake positive actions to prevent such interference, e.g the adaption of systems/controls to protect data.

In this case there is no statement that there was deliberate and unauthorized access of data, only that there was failure to secure the data appropriately. i.e a breach of Finland’s positive obligations under Article 8. The court found in favour of the Applicant.

Summary: The ECHR found that if personal data is not secured adequately, and the State does not take positive steps to do so (and not just legislation but technical and procedural steps as well), then the state is in breach of Article 8.

Background of the Case:

The claimant “I” was a nurse who worked in Finland, and between 1989 and 1994 she worked on fixed terms contracts in a state/public hospital (i.e working for Finland). However, from 1987 onwards “I” had also been a patient of the same hospital as she had been diagnosed with HIV.

In Early in 1992 the applicant began to suspect that her colleagues were aware of her illness. At that time hospital staff had free access to the patient register which contained information on patients’ diagnoses and treating doctors. Having confided her suspicions to her doctor in summer 1992, the hospital’s register was amended so that henceforth only the treating clinic’s personnel had access to its patients’ records. The applicant was registered in the patient register under a false name. Apparently later her identity was changed once again and she was given a new social security number.

In 1995 the applicant, “I” changed/lost her job as her temporary contract was not renewed.

On 25 November 1996, the applicant complained to the County Administrative Board (lääninhallitus, länsstyrelsen) in Finland, requesting it to examine who had accessed her confidential patient record.  Following this request, the director in charge of the hospital’s archives provided a formal statement with the County Administrative Board. The statement said that is was not possible to find out who, if anyone, had accessed the applicant’s patient record as the data system revealed only the five most recent consultations  - and this was by department and not a named individual. And even this scant information was deleted when the records were returned to the archives.

Following this investigation the Finnish County Administrative Board decided, on 20 October 1997 that while there should be privacy for the individual the records are not detailed and therefore Board decided that it could not further rule on whether information had been viewed inappropriately. However, it did advise the records should be changed so that access to the files are recorded.

As a result of this, in March 1998, the hospital’s register was amended so that it became possible retrospectively to identify any person who had accessed a patient record.

In 15 May 2000, the applicant “I” instituted civil proceedings against the District Health Authority (sairaanhoitopiirin kuntayhtymä, samkommunen för sjukvårdsdistriktet), which was responsible for the hospital’s patient register at the time of the incident, claiming non-pecuniary and pecuniary damage for the alleged failure to keep her patient record confidential.

On 10 April 2001, the District Court (käräjäoikeus, tingsrätten) rejected the action.  The applicant then appealed to the Court of Appeal (hovioikeus, hovrätten), maintaining her claim that the hospital had not complied with the domestic law, in breach of her right to respect for her private life

On 7 March 2002, the Court of Appeal, found against the applicant and ordered her to pay costs for the respondents legal expenses for both the district court and appeals court – 2,000 and 3271 euros  respectively.

Following this “I”, then applied to the Finish Supreme Court (korkein oikeus), claiming that there been a violation of her right to respect for her private life. On 23^rd Decemeber 2002 the Supreme Court refused leave to appeal.

Still pursuing the case “I” applied to the ECHR and requested that her name was with held. On  20th June 2003 the president of the Chamber (Nicolas Bratza) agreed to this. On 19^th January 2006 the ECHR decided that there was a case to hear and informed Finland that the ECHR would hear the case.

On 17^th July 2008 the court decided in favour of the applicant “I”.

Tags: data protection, ICO, Law, privacy