Data protection breaches should be notified without undue delay
The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed a fine of 29,648 PLN on the County Hospital in Września for failure to notify data breach under its administration to the Polish SA without undue delay and for failure to inform data subject in a timely manner.
The President of the Personal Data Protection Office became aware of the case from the Ombudsman for Patients. One of the hospital's patients was given another person's medical documentation. The documentation contained the name, date of birth, PESEL number and health data.
The hospital explained that it was not aware of the incident and therefore did not notify it. At the request of the Polish SA, it provided a data risk analysis and the content of the notification, which it then - too late - addressed to the data subject of the disclosure.
The hospital - the data controller - explained to the President of the Personal Data Protection Office that the risk of inconvenience associated with the disclosure of the patient's personal data to an unauthorised person was, in its opinion, low and its existence did not require further proceeding. The hospital informed the data subject of the matter. However, because the hospital did not notify the breach to the Polish SA, the latter could not react and support the controller in minimising the consequences of the breach, which had already occurred.
The President of the Personal Data Protection Office emphasises that accidental disclosure of personal data to even one identified person may lead to an increase in the scale of the breach and thus create a risk of breach of the data subject's rights or freedoms.
The President of the Polish SA considered that an administrative fine should be imposed. Its imposition is intended to ensure that the hospital fulfills its data protection obligations in the future, in particular with regard to breach notification.