News - February 2019

Published 25 March 2019 by Holst, Advokater

Millions of Swedish phone calls between nurses and patients were left unprotected online

In mid-February, Computer Sweden revealed that on an unprotected web browser they had found 2.7 million phone calls made since 2013 to the public healthcare hotline, 1177 Vårdguiden.

During the 170,000 hours of recorded files, sensitive data such as illnesses, medications, previous treatments, etc. as well as social security numbers were mentioned – data which in accordance with the provisions of the GDPR shall be processed subject to special considerations. In addition, some of the audio files were marked with the caller’s phone number under the name of the file.

Seen in isolation, the recordings are not illegal, however, the audio files should be handled confidentially, which was not the case. MedHelp, which is the supplier of the public healthcare hotline to the Stockholm Region, outsourced the storing of the recordings to MediCall. MediCall’s supplier has stated that the error assumably was caused when a hard disk during an update was connected to the internet.

Although MedHelp has now terminated its agreement with MediCall, both the Stockholm Region (as data controller) and MediHelp (as a data processor) shall be aware that they are responsible for ensuring the security measures when processing data at MediCall (the sub-processor). A data processor shall ensure that a sub-data processor observes its obligations in respect of data protection, and a data controller shall ensure that the data processor actually carries out data processing according to what is agreed.

After the breach was disclosed, the Swedish DPA announced on its website that it is their intention to investigate the matter further and that it should be expected that a decision pertaining to the matter will be made very soon.

Please see the revelation from Computer Sweden (in Swedish) here: https://computersweden.idg.se/2.2683/1.714787/inspelade-samtal-1177-vardguiden-oskyddade-internet?queryText=1177

Please see the statement of the Swedish DPA (in Swedish) here: https://www.datainspektionen.se/nyheter/datainspektionen-ska-granska-1177-vardguiden/

Fines totalling GBP 120,000 for merging email lists for marketing purposes

The two closely linked companies in the campaign group Leave.EU Group Limited and the insurance company Eldon Insurance Services Ltd have been fined GBP 120,000 in total upon the unlawful use of each other’s email lists for submitting material for marketing purposes.

In more than 1 million emails, Leave.EU has promoted insurances from Eldon without the recipients having given any valid consent for such. In consequence, Leave.EU was fined GBP 45,000 and Eldon Insurance fined GBP 60,000. It is quite interesting that a mitigating circumstance was that nobody had complained about the marketing, whereas it was not taken into consideration that most of the submitted emails were never opened by the recipient.

In another case, Leave.EU had by mistake submitted more than 300,000 emails about their political agenda to Eldon’s insurance customers. At the time of the mistake, the two companies had used the same MailChimp account for submitting their emails, hence, the administration had by mistake sent the emails to the wrong recipients. Leave.EU was as a result fined GBP 15,000.

The fines are determined on the basis of the current ePrivacy Regulations, which - however - are soon expected to be replaced by an ePrivacy Regulation subject to the same penalty rates as those of the GDPR. In connection with the release of the decisions, the ICO has stated that they will initiate an audit of the general data protection practices of the two companies, thereby entailing possible additional fines on the two companies.

The case illustrates that two companies that are closely linked - in this case, share the same address and many of the same employees, owners, etc. shall be extra aware of their business procedures so that data is processed in one company does not immediately pass and be used by the other company. 

Please see the British ICO news about the decisions and the upcoming audit here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/02/ico-to-audit-data-protection-practices-at-leaveeu-and-eldon-insurance-after-fining-both-companies-for-unlawful-marketing-messages/