Let me be honest. When I read that papers from a HagaZiekenhuis service transfer containing patient data had been found in a supermarket shopping cart, my first reaction was also: a data leak! Especially when I read further in the article that the HagaZiekenhuis, as data controller, had reported the leak of the medical data to the Autoriteit Persoonsgegevens (AP). Surely the hospital would have figured it out. Otherwise, you don't file a report. But is there actually a data leak?
In order to constitute a reportable data breach, the General Data Protection Regulation (AVG) must first apply. Articles 33 and 34 of the AVG do not apply until the AVG applies "at all. The AVG materially applies if there is any fully or partially automated processing of personal data. And if the processing is not automated, then it may also involve personal data that are contained in a file or intended to be contained in a file (see Article 2(1) AVG). The terms "personal data," "processing," and "filing system" are further defined in Article 4 AVG.
Does the data found in the shopping cart involve personal data? It must be data by which a natural person can be directly or indirectly identified. The explanatory note also states that the identity of the data subject must be reasonably ascertainable without undue effort. [1] If I understand the article about the HagaZiekenhuis correctly, it concerns a transfer of service, in which the name of the patient is mentioned, along with the condition and medication. That mentioning the name involves personal data is clear. That mentioning the condition and medication, especially in combination with the name, involves medical personal data is also beyond doubt. It is even special personal data, namely medical data. [2]
Next, there must be processing. The finder of the papers has accessed and consulted the data. That falls under processing according to Article 4, second, AVG. So two of the three requirements are met.
But does it include (partial) automated processing? There will be no dispute that the paper found rolled out of a printer and that the data on that paper was stored somewhere on a server, a hard drive or in a cloud and that the data was processed on a laptop, desktop or tablet. Is finding a scrap of paper in a shopping cart with a shopping list on the back, as we might believe the HagaZiekenhuis article, also automated or partially automated processing?
The AVG is not at all clear about the term "automated. There is no further definition in Article 4 AVG, nor do the recitals, belonging to the AVG, provide clarity. Neither do the AVG's policy rules. Zwenne, professor at Leiden University, devoted an interesting and readable article to automated operation in 2017,[3] although the article was written under the Personal Data Protection Act (Wbp), it is also applicable for the AVG. Indeed, with respect to material applicability, nothing has changed.
When we think of automated processing, we think of digital data carriers. Think of that laptop, of a tablet or usb stick. When we think of a paper in a shopping cart, we tend to think of a "paper data carrier. Paper, perhaps held together by a staple or a quick staple or a folder. Zwenne mentions in his article the examples of a letter and the court files that construction workers found in garbage bags during a court renovation. found in garbage bags. [4] Both examples involve data on paper data carriers, according to Zwenne not being automated data processing. In my opinion then, the same applies to paper service transfers.
So is there partial automated processing? Although the letter, the papers in the garbage bags and the paper in the shopping cart are paper data carriers, those papers have an origin in a digital storage of personal data. Zwenne concludes, using the explanatory memorandum of the Wbp, that partial automated processing must involve an intertwining of manual repercussion and automated processing. They must both have the same purpose, and in society they must be seen as one. He gives the example that processing personal data is of a different order in writing a letter than in delivering a letter. It becomes different if automated means are used in mail delivery, in sorting and distributing mail, especially if a track-and-trace system is also used. Then, Zwenne says, digital sorting and mail delivery can be considered one.
Back to the shopping cart: the digital processing of personal data for a service transfer cannot be seen as one with finding the printout in a shopping cart. There is not the same destination, nor are they to be seen as one in society. The finding in the shopping cart had nothing to do with the transfer.
If then it is not (partially) automated processing, is it processing in a file? A file is a structured set of personal data, accessible according to certain criteria. [5] This is a tricky definition. Under the Wbp, the legislative history indicates (see Zwenne) that there must be a collection of data, created for the purpose of effective consultation, according to certain criteria. The personal data contained in the structured whole must be easily accessible through various search criteria. Attention must have been paid to this. (It should also be noted, that with the transition from the PDPA to the AVG, the criterion that the file must relate to several persons was dropped).
The cabinet of personnel files is always cited as an example. [6] The files in that cabinet are of course in alphabetical order and are structured in such a way that they are all built up the same way, with a letter of application, the various employment contracts in chronological order, the reports of the performance interviews in chronological order, and the pay slips in chronological order, perhaps still selected by type of employment contract or by position, etc. The file is then a systematized whole. The alphabetical order, the chronological order and the distinction by function are then the criteria that make it easy, make it accessible, to retrieve personal data within that structured system. Alphabetical order alone will be insufficient. One can also think of card systems, where with a combination of alphabetical order also with an order by subject or chronological order data can be retrieved.
I have not had a chance to see the paper found in the shopping cart with my own eyes, but if my guess is correct, the service transfer paper is not immediately a structured entity, with which various criteria make the structured entity accessible to retrieve personal data. The criteria in the law are strict. For example, a book with only an alphabetical register is not a file. Only if the register has several entries from a register of persons could it be a file. As structured as that book, as the personnel files, as the card system, the service transfer will not have been. Simply because of the fact that the transfer of service, while correct, will have to be done quickly, briefly and powerfully, and that no sufficient time/attention will have been given to using various criteria to make the data comprehensible in the "structured whole" of the transfer.
In short: because there is no file, the criterion that personal data are contained in a file or that personal data are intended to be contained in a file is not met for the applicability of the AVG. Surely it looks very much like in the case of the paper in the shopping cart there is no applicability of the AVG and thus no data breach.
Final reflections
The person who found the service transfer took a picture of the service transfer. He or she sent this photograph to the newspaper. Is the taking of the photo then not an automated processing, where the photographer is the data controller? Doesn't the AVG apply there? I think the AVG does not apply to that situation either. I refer here to Article 2(2)(c) AVG on data processing of a personal nature and its interpretation as described in Recital 18. Taking a photograph and sending it to the newspaper does not involve any professional or commercial activity. The AVG is mainly concerned with that processing aimed at profession or trade. This is not the case here.
The newspaper, by virtue of its journalistic duty, will have stored the photograph and personal data. [7]
In the HagaZiekenhuis coverage, we also learned that the employee or employee who left the paper in the shopping cart was fired. The story does not say in what manner he or she was fired. For the employer, it is to be hoped that he or she did not issue a summary dismissal with only a brief mention of a data breach. Because there might not be a data breach. If that is the only basis, a district judge could make things difficult for the employer in any proceedings. It is to be hoped for that employer that he has given a concrete description of the facts on which the dismissal is based. Furthermore, we do not know the position of the dismissed employee or worker. There could be more reasons for the dismissal. For example, the Medical Treatment Agreement Act (Wgbo) has a duty of confidentiality, several medical professions have professional secrecy, and most likely the employment contract will have a confidentiality clause or a separate confidentiality agreement was signed. In any case, the confidentiality of medical records has been breached here.
In doing so, the employee or worker should have already realized solely by virtue of good employee conduct, even if he or she had the reuse of the paper in mind, that the privacy rights of patients, involving highly sensitive medical data, should take precedence over permanence in this case.
[1] Text and Commentary AVG, Gerrit-Jan Zwenne. Article 4, note 1. 2018.
[2] AVG. Article 9(1).
[3] About misdelivered letters, an envelope with credit card information and trash bags of court files. Gerrit-Jan Zwenne & Paul de Groot. 2017.
[4] The Telegraph. Feb. 10, 2017.
[5] AVG. Article4, sixth.
[6] AVG. Recital 15.
[7] UAVG. Article 43.
This article can also be found in the files Privacy in Healthcare and Data Breach
