Health data and GDPR: the English example

Originally published: newspaper “Ta Nea” – Letters (in Greek)
Date: 07/01/2020

Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)

Mr. Director,

I return to a revealing report of your newspaper on the violation of personal data legislation in our country by a large public hospital of the capital in the summer of 2019. According to the report, many medical records of the hospital patients were stacked in corridors and stairs, for everyone to see. Against the poor reaction of the competent Greek authorities to these serious allegations, it is useful to see how very recently (December 2020) the United Kingdom Personal Data Protection Authority (ICO) reacted to a case with many similarities, brought before it. The facts were as follows: a London-based pharmacy left about 500,000 documents in unlocked boxes, exposed in a courtyard at the back of its premises. The documents contained personal data such as names, addresses, dates of birth, insurance numbers, medical data, etc. of an indefinite number of persons. Some of them were even damaged due to their exposure to water. ICO, after receiving the relevant information via e-mail, carried out a relevant audit. Following the finding of this unacceptable situation, the competent authority of the United Kingdom imposed a fine of 275,000 pounds (approximately 320,000 euros), in particular for violation of articles 5 (1), 24 (1) and 32 of the GDPR. It was held that the pharmacy should have been fined, as it had failed to implement appropriate organizational measures to ensure the appropriate level of security of personal data and had processed them in an unsafe manner. The conclusion is yours to make.