The Swedish DPA, Datainspektionen, has issued a fine of approx EUR 11,400 (SEK 120,000) to Swedish county Örebro (located halfway between Gothenburg and Stockholm) for disclosing sensitive personal data on the county’s website about a patient admitted to a forensic psychiatric clinic.
Datainspektionen’s review of the incident showed that sensitive personal data by mistake had been made available to the public through the county’s website. No written procedures for disclosing documents and personal data on the website were available, as such were only provided orally.
In the specific case, the oral procedures had not been followed, and a document containing sensitive personal data was unintentionally disclosed, upon which Datainspektionen concluded that insufficient organisational measures had been taken to ensure that personal data are protected from being wrongly disclosed.
As part of its decision, Datainspektionen instructed the county to prepare written instructions and to implement procedures ensuring that the person who releases personal data on the Internet does so in accordance with these instructions.
