GDPR takes action in Portugal with a 400k € fine
Principles violation relative to data treatment leads to the application of a GDPR fine by the National Data Protection Commission (NDPC) reaching 400 thousand euros to the Barreiro-Montijo Hospital Centre.
The fine was applied after a conjunct inspection between the National Data Protection Commission and the General Inspection on Health Activities, following the the accusation from the Order of Medics in June of this year.
On this conjunct operation the NDPC stated that at least nine professionals with a role in social services had access to clinical data exclusive to working doctors. What’s at stake is the usage profiles assignment to social assistants. Flaws on the authentication system and the nonexistence of access rules also helped for the fine application sheltered by the new GDPR.
The NDPC also holds the Hospital’s direction accountable for not taking the necessary measures to guarantee that the inactive doctors’ accounts were eliminated.
This matter was considered serious for putting special health data categories at stake, and for the creation of new access accounts not controlled by the administration. Although the she didn’t take measures by her own initiative, “the defendant took the care to intercede with the HMSS to right this aspect of the system that, as a recent update shows, should and could be changed previously”, as concluded by the NDPC.