||06 August 2021
||Sharing health personal data with the non-custodial parent by unauthorized employees in the hospital
In the complaint lodged with the Authority, the data subject requested the necessary administrative sanctions be imposed on the data controller, who uses personal data concerning the data subject without obtaining parental consent and processes such data violating Personal Data Protection Law No. 6698.
The complaint letter submitted to the Authority states the following, in summary;
- The complainant's spouse, whose divorce proceeding still continues, is on trial for allegedly abusing their joint child, and his file is in the appeal stage. The spouse included health and epicrisis reports of their joint child in his petition of appeal and its annex,
- In the epicrisis report submitted to the Court of Appeal by the spouse, the complainant saw that there were sentences such as "he lies, he steals" about his son, and he took his son to the child psychiatry department for examination only for 3-4 times in total at various times, yet he never took his son to the hospital on the grounds that he had lied. Moreover, the reports submitted to the Court of Appeal were issued by irrelevant persons without her knowledge, illegally, and disregarding the confidentiality of private life and, the report issued was given to the other party, after making changes on it in order to mislead the Court,
- Later, it is found out that those health reports were given to the attorney of the spouse, who is in prison, by a Training and Research Hospital (“Hospital”) without the consent of the complainant mother, and there is no special permission in this regard in the attorney's power of attorney,
- Following the investigation, the complainant reached the information that; upon the request of the hospital chief, a person, working as an archive officer in the hospital, took the printouts of the report, by creating an epicrisis form by clicking the save button in the system, who later declared that he did not make any changes in the findings or diagnosis and that he just took the printout. And the hospital chief did not provide the documents in the first place and consulted his supervisor, and he declared that he would not be able to submit these reports on the second visit of those who requested the reports, after his meeting with the lawyer of the Provincial Health Directorate and due to an opinion letter issued in the past on the same subject. Also,
- the Pediatric Specialist accepts that the documents were given to the attorney of the complainant's spouse by himself because he saw it appropriate after reviewing the attorney's identity, power of attorney, identity register, the father's petitions. The pediatric also declared the attorney that the documents do not have an official nature until the documents are signed and stamped, so an officially approved copy should be requested from the administration,
- However, the complainant never took her child to that doctor for examination,
- A criminal complaint was filed with the Chief Public Prosecutor’s Office on the matter, but the Governor's Office did not give permission for an investigation, despite the doctor's explicit confession.
The Decision taken by the relevant Governor's Office Provincial Administrative Board, which is attached to the complaint letter, states that the Governorate decided not to grant permission for an investigation, by stating the following points;
- 11 epicrisis reports belonging to the child of the data subject were added to the system by the archivist instead of by the doctors,
- After reviewing log records of the reports, it was seen that no changes were made in the reports,
- Hospital Information Technologies Directorate informed that all polyclinic personnel responsible for patient registration and doctors in the hospital have the authority to display the files of all patients, and the hospital automation system keeps log records when there is an add, deletion or any change, but in terms of displaying the information of the patients, no log records are kept,
- The doctor who shared the reports with the attorney stated that he submitted the reports because the applicant was a lawyer and requested health information about his client’s child,
- As a result of evaluation of the doctor’s acknowledgement that he gave those documents together with the reasons for his action, it is concluded that; it is not possible for the pediatrician to know and/or remember the laws regarding all requests made to him while he works under intensive polyclinic conditions, night shifts and other duties, and since he works with patients under the age of 18 who are unable to express themselves and make decisions about themselves, he is obliged to explain/document all information and explanations about their patients to the families of those children, also the documents requested by the attorney can also be obtained through the court, and the pediatrician gave the documents unsigned and unstamped for information, and the doctor cannot knowingly and willingly have the desire to cause a victimization of a person.
In this context, within the framework of the examination initiated on the subject, the Ministry of Health was applied for its explanations regarding the allegations in the complaint. In its response, the relevant Governorate Provincial Health Directorate states the following, in summary;
- The doctor and archive officer are under confidentiality obligation for being public officers and healthcare professionals,
- It is a necessity for healthcare professionals to access personal data of patients to be able to provide healthcare services, and since having access is mandatory for the provision of health services, the confidentiality obligations of the healthcare professionals and public officers are regulated in many principal legislations, where abuse of this access authority to harm patient privacy is subject to sanctions,
- The incident subject to the complaint occurred in a hospital affiliated to the Ministry, and the reason of the Ministry for processing data is within the scope of “the execution of medical diagnosis, treatment and care services" defined in Article 6 of Law No 6698, therefore there is a legal basis for healthcare professionals to have access to patient files to provide healthcare services,
- Article 6 of the By-Law on Personal Health Data published in the Official Gazette dated 21.06.2019 determines the conditions regarding the access of the healthcare professionals to the data and accordingly, the persons in charge of the health service provision shall access the health data only on the condition that it is limited to the necessity of the health service to be provided,
- Apart from the incident subject to the incident, it is lawful to authorize healthcare professionals to access patient data by virtue of their position and title on the condition that it is limited to the necessity of the healthcare service to be provided,
- Doctors have access to patients' health data to learn about their past disease history, treatment, and to determine the treatment for their current diseases,
- Similarly, archive officers work in healthcare field who need access to patients' files in relation to their work, and restricting access to patient files may result in irreparable results in terms of human health, hindering the delivery of healthcare services,
- Therefore, it is evaluated that the occupational groups mentioned in the incident, namely a specialist doctor and an archivist, need to access the patient records due to their profession, and that there is no violation of the personal data protection legislation in the access of these individuals to the patient records, provided that they are limited to the purpose, during the provision of health services,
- In its final evaluations, the Ministry of Health relies on the current legislation for its personal data processing activities, and it is possible for healthcare professionals to access patient records to provide healthcare services, provided that this purpose is not exceeded, and also the system keeps all log records of any changes made on patient records,
- Restricting physicians’ access to the files of patients whose records are opened only by themselves, or the restriction of patient files that archive officers can access is incompatible with the nature of healthcare services, because physician can provide healthcare service directly or indirectly to a person who is not his/her own patient, and can give consultation to another physician, and therefore, there is no illegality in accessing patient files by the physicians in the hospital and the archive officers responsible for the preservation of the patient files,
- In case the unlawful act in the complaint really occurred (it is stated that the judicial process is still ongoing), it is caused by the human factor, and due to the nature of the health sector, the human factor cannot be completely eliminated. Besides, the Ministry of Health follows and implements administrative, legal and penal sanctions in order to improve the deterrence strengthen patient privacy, and also it has sent official instructions to countless institutions and organizations on patient privacy and the protection of personal data, and when all these are evaluated together, it is thought that no security vulnerability can be attributed to the Ministry in the incident.
In this regard, taking into account the following points:
- Article 6 of the Law for conditions for processing of sensitive data regulates that;
(1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data
(2) It is prohibited to process special categories of personal data without explicit consent of the data subject.
(3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
(4) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.
- “Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data” issued by the Personal Data Protection Board within the scope of Article 6(4) and Article 22(1)(ç) of the Law rules that;
1. Determining a systematic, manageable and sustainable separate policy and procedure for the security of sensitive personal data,
2. For employees involved in the processing of sensitive personal data;
a) Providing regular trainings on the law and relevant regulations and sensitive personal data security,
b) Making confidentiality agreements,
c) A clear definition of the users authorized to access the data, the scope and duration of their authorization,
ç) Periodic authorization checks,
d) Immediate abolition of the authority of employees who have a change in duty or quit their job in this field. Also, returning the inventory allocated to them by the data controller,
3. If the environments in which sensitive personal data is processed, stored and/or accessed are electronic media;
a) Storing the data using cryptographic methods,
b) Keeping cryptographic keys secure and in different environments,
c) Securely logging the transaction records of all activities performed on the data,
ç) Continuously monitoring the security updates of the environments where the data is located, regularly performing/having the necessary security tests, recording the test results,
d) If the data is accessed through a software; user authorizations for this software, regular security tests of these software, recording of test results,
e) If remote access to data is required; at least two-stage authentication system must be provided.
- When the relevant health legislation is reviewed it is seen that, Article 16 of the Regulation on Patient Rights, titled "Review of Records", published in the Official Gazette dated 01.08.1998, states that "The patient can examine the file and records containing information about his/her health status directly or through his/her authorized or legal representative and take a copy. These records can only be displayed by those directly involved in the patient's treatment.” And Article 23 of the same Regulation rules that “The information obtained to provide health services cannot be disclosed in any way, except as permitted by law. Even if it is based on the consent of the person, the disclosure of information in cases that result in the complete waiver of personal rights, the transfer of these rights to others or excessive limitation of these rights does not remove the legal responsibility of the person who disclosed them. Disclosure of information that may cause harm to the patient without a legally and morally valid and justified reason does not remove the legal responsibility of the personnel and other persons. Disclosure of information that may cause harm to the patient without a legally and morally valid and justified reason also requires legal and criminal liability of the personnel and other persons.”,
- In addition, Article 8 of the Regulation on Personal Health Data published in the Official Gazette dated 21.06.2019 sets forth that “In case of divorce of the parents, the party who is not given the right of custody can access the health data of the child in accordance with the legislation on the protection of personal data and within the limits determined by the General Directorate, by taking into account the benefit of the child and the parent.” And Article 10 of the same Regulation rules that “Lawyers cannot request their client's health data with a general power of attorney. In the power of attorney issued for the transfer of the client's health data to the lawyer, there must be a special provision indicating the explicit consent of the data subject regarding the processing and transfer of sensitive personal data,
- Article 9(1) of the same Regulation states that personal health data can be shared with relatives of patients in a way that does not violate the principles of Law No. 6698 and in accordance with the Article 18(3) of the Regulation on Patient Rights, and this article rules that it is essential to inform the patient himself/herself, and if the patient requests that someone else be informed instead of himself/herself, only those requested to be informed will be informed, provided that this request is recorded in writing with the signature of the person,
- On page 41 of the ‘Information Security Policies Guide’ updated by the General Directorate of Health Information Systems, it states that “188.8.131.52. It is taken into account that personal health records (all examination results, patient files, barcodes, observation forms, etc.) are special categories of personal data and special protection should be applied for such data with the Law No. 6698.”. And as per page 64, "In order to access sensitive personal data (personal health data), the technical and administrative measures specified in the KVKK's decision numbered 2018/10 must be taken.". Page 122 further states that, “9.9.25. In accordance with the KVKK's decision numbered 2018/10, in software where special categories of personal data is processed; trace records of all activities performed on the data must be securely stored in another medium.”
- Also, on various pages of the guide, it is explained that it is not sufficient to simply refer to the Decision No. 2018/10, and the Personal Data Security Guide, which is also referred to in the relevant decision, indicates that to ensure data security, it is necessary to accurately determine all of the personal data that are processed by the data controller, the probability of the risks that may arise regarding the protection of this data, and to determine the losses that may result and to take appropriate measures. The Guide further adds that after the risks and priority are identified, technical and administrative measures to reduce or eliminate risks should be planned and implemented,
- It is necessary to determine a separate, systematic, manageable and sustainable policy that must be followed in order to prevent situations such as carelessness, inattention or inexperience, the risks/threats must be evaluated and followed before the events occur, when dealing with the requests regarding the sharing of special categories of personal data received by the employees working under the data controller,
- In the case, it was seen from the epicrisis form that the doctor provided examination and treatment services to the child, but the doctor examined the data subject within the scope of pediatrics, not child and adolescent psychiatry,
- In this context, the pediatrician working under the data controller displayed the information in question out of his/her own branch and shared that information violating Article 8 of the Law by a third party, even though there is no special provision in the power of attorney regarding the sharing of sensitive personal data and only mother had the temporary custody of the child at that time. Therefore, sharing that information and documents by the doctor is not related, limited and proportional for the purpose of examination and treatment of the patient,
- Another point is that it is against the principle of being relevant, limited and proportional to the purpose of data processing to grant authorization all polyclinic patient registration personnel and doctors in the hospital to see the files of all patients. Since no log records are kept for who is viewing which data, it is not possible to control the activities. Therefore, it may be appropriate to let only the personnel and doctors working in the examination and treatment of patients access the data, instead of all physicians and patient registration personnel in the hospital, and in this regard the data controller can prevent possible unlawful data processing by creating the authority matrix about who can view patient data. In this context, it can be taken into account that -as the data controller Ministry of Health stated in its response letter- specialist doctors do not only serve the patients registered to them, they also serve other patients in planned or sudden situations, and that health services require intensive teamwork and that urgent situations,
- In addition, it will reduce the security risks to authorize only certain personnel for getting prints from the automation system of the hospital.
On the basis of the foregoing evaluations, the Board, with its Decision numbered 2021/761 and dated 6 August 2021, decides that the data controller, Ministry of Health, shall be instructed:
- To prepare a systematic, clear, manageable and sustainable policy that can be followed without hesitation by the employees of the Ministry,
- As an administrative measure; to give training to the personnel of the relevant Training and Research Hospital within the scope of personal data protection harmonization activities and in this training the data controller shall clearly inform the scope of authorization for the processing of personal data of the hospital personnel as they deal with sensitive personal data, and shall submit the training documents to the Authority,
- As a technical measure in terms of ensuring the security of personal data; to update the system and inform the Authority in order to ensure that the access logs of the hospital automation system are kept, including the viewing activity,
- To clearly set out a matrix to authorize only the personnel working in the examination and treatment of patients and doctors to access the data, instead of letting all physicians and patient registration personnel in the hospital having access to all patient records,
- To set down certain procedures for printing out patient records from the hospital automation system and determine certain authorized personnel for this, and to inform the Board about the results of all the instructions given regarding the protection of personal data within this framework,
- To take necessary action in accordance with disciplinary provisions against those responsible for the incident working in the relevant public institution and organization pursuant to Article 18(3) of the Law, and to inform Board about the result of action taken. Because it was concluded that the data controller failed to take necessary administrative and technical measures, considering that the person working under the data controller transferred the sensitive personal data of the child of the data subject to the relevant lawyer without relying on any of the transfer conditions in Article 8 of the Law No. 6698.