Slovakia: Slovak Data Protection Authority Fines Faculty Hospital Nitra For Providing Medical Records To Expert Witness

May 2019 – The Slovak Data Protection Authority ("Slovak DPA") has fined Faculty Hospital Nitra EUR 2,000 for unlawfully processing sensitive personal data in breach of § 13 section 1 of Act. No 122/2013 Coll., On Personal Data Protection ("Data Protection Act 2013").

The Slovak DPA found the hospital in breach of Data Protection Act 2013

(i) through its unlawful provision in November 2017 of sensitive personal data concerning a deceased patient (a minor), which was included in medical records provided to an expert witness who prepared a written expert opinion the for the hospital; and

(ii) by unlawfully providing in March 2018 the personal data of the same patient to the Slovak weekly newspaper MY NITRIANSKE NOVINY, which published an article dedicated to the case on 26 March 2018.

The Slovak DPA's first instance decision imposed fine of EUR 4,000, which was decreased to EUR 2,000 after a successful appeal by the hospital. Fines in such pre-GDPR cases could have ranged from EUR 1,000 to EUR 200,000.

While the case and decision is based on pre-GDPR legislation, we are of the opinion that this decision is based on an interpretation of the law that may have adverse effects on the ability of healthcare providers to defend against medical malpractice claims, even with GDPR rules in place.

Providing health-related information to the media

With respect to providing the health-related personal data of a deceased minor to the media, the hospital argued that this information had already been published by the parents of the deceased and were publicly available. The Slovak DPA concurred with this opinion on appeal.

However, the Slovak DPA argued that under Data Protection Act 2013, in order to process health- related data already published by the data subject him/herself under § 14 e), the Data Controller must also have a legal basis pursuant to § 9 section 1. The Slovak DPA did not find such a legal basis and therefore concluded that the hospital violated the law by providing health-related data to the media, even though the minor's parents had already made this information available to the media and it had already been published.

Furthermore, under Slovak law a medical professional is obliged to maintain the facts he / she has learned in relation to the performance of his / her profession confidential in accordance with § 80 section 3 of Act No. 578/2004 Coll. On Healthcare Providers ("Act on Providers"). Only the person concerned (and the authority that issued the permit to provide healthcare) may discharge a medical professional from this confidentiality obligation. However, the Act on Providers does not require any specific form for the discharge of confidentiality by the person concerned. The publishing of health-related data by a person having the right to do so may eventually be seen as equal to the tacit discharge of confidentiality. The Slovak DPA did not take this into account in its decision.

We disagree with the decision of the Slovak DPA in so far as Data Protection Act 2013 (§ 10 section 3 g)) eventually provides a basis for the discharge of confidentiality, as the parents accused the hospital of malpractice in the media. On the other hand, while an expert witness is bound by the obligation of confidentiality, a journalist does not have such an obligation.

For this reason we strongly discourage healthcare providers from providing any health-related personal data to the media, even in the context of medical malpractice allegations presented in the media and even if such information has already been published by data subject her/himself.

If necessary, a viable solution would be to provide a reference to the location of already-published data without any further statements or interpretation.

Expert witness access to medical records

The Slovak DPA pointed out in its decision that the hospital retained and mandated the expert witness already on 3 November 2017, while the lawsuit was filed against the hospital on 2 February 2018. The expert delivered his written opinion on 22 February 2018. The court notified the hospital of the lawsuit on 20 November 2018.

The Slovak DPA maintained that the provision of §25 section 1 b)¹ of Act No. 576/2004 Coll., on Healthcare ("Healthcare Act") shall be applied when obtaining the opinion of an expert medical witness.

The Slovak DPA construed its argumentation in such a way that a healthcare provider is only entitled to provide medical records to an expert witness appointed by a court, a law enforcement agency, a public administration body or by a party in court proceedings. This opinion is based on the argument that § 14 a) – e) of Data Protection Act 2013 contain an exemption from the general ban on processing sensitive personal data, inter alia data related to one's health, and that the provisions of § 13 to 14 are specific to § 10.

We can only point out the Data Protection Act 2013 in § 10 section 3 g) provides for the processing of personal data to protect the rights and legitimate interests of the Data Controller or a third party without the consent of the data subject, except if the fundamental rights and freedoms of the data subject prevail in such processing of personal data (the proportionality test).

If we adopted the position of the Slovak DPA in each similar case, it would lead to impractical and even absurd situations. Healthcare providers facing a patient's allegation of medical malpractice would not be able to decide whether to challenge certain (perhaps unfounded) claims or be able to prepare their arguments based on facts contained in the patient's medical records, unless the case is subject to administrative, civil or criminal proceedings.

The healthcare provider would not be able to consult the situation with its insurer or its shareholders and would lack crucial expert opinion that could eventually allow for either an out-of-court or court settlement, if the claim would be supported by the expert witness. Evidence obtained by an expert witness who was appointed by the Data Controller and not by a court would, in view of the Slovak DPA's decision, result in unlawfully obtained evidence and hence be unacceptable in court.

In addition, such argumentation would have an adverse effect on a Data Controllers' ability to prepare and plan their legal defense. An attorney is also a third party in a position similar to an expert witness. If we accept the DPA's decision, this would mean that sensitive personal data should not be disclosed to an attorney in relation to planning and preparing a legal action, despite the fact that an attorney is bound by a professional confidentiality obligation (as is an expert witness).

The European Data Protection Board explained in relation to a similar point² that the legal basis for the exemption may be relied on in relation to a procedure that "must have a basis in law", but not necessarily one limited to judicial, administrative or even to out-of-court procedures. This legal basis should not be relied on if there is only a mere possibility of a legal proceeding, but it does allow for certain actions before the start of a proceeding. For instance, it can cover actions to launch procedures (e.g., commencing litigation or pre-trial discovery).

Post GDRP situation and expert witness access to medical records

We are of the opinion that GDPR provides a legal basis for the exemption to allow the processing of medical records by an expert witness appointed by a healthcare provider if there is an alleged patient claim against the healthcare provider under Section 6 (1) f) in connection with Section 9 (2) f), which allow for the processing of personal data concerning health if it is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. Act No. 18/2018 Coll. On Personal Data Protection provides a similar exemption in § 16 section 2 f).

The literal interpretation of the law by the Slovak DPA leads to difficulties for Data Controllers that had not necessarily been intended by the Data Protection Act 2013 or the GDPR. The legal basis for the exemption to disclose personal data should rather be interpreted to cover processing within formal proceedings as mentioned above, but also processing in preparation for such proceedings to allow the Data Controller to evaluate its legal position and strategy.

Footnotes

1 We are of the opinion that this is an error in the DPA's decision, and that expert witness access to medical records is dealt with in letter j). Letter b) deals with the full access to medical records of a deceased patient by a surviving husband or wife, parents or a closed person under the provision of the Civil Code.

2 Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, including relying on the necessity for the establishment, exercise or defense of legal claims for international data transfer, accessible from this link.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.