The Swedish Data Protection Authority took a closer look at eight health care providers in Sweden. Special attention was paid to technical and organizational measures of their systems processing electronic health records.

Access to personal data in general should be not only regulated in regards to external providers but also internal personnel. The often referenced “need-to-know” principle is pretty self-explanatory: Does your personnel has to have access to the particular data to carry out his or her task? To all of that data? And if so, why? And for how long?

The Swedish watchdog concluded that health care providers must carry out such analysis and assessments thoroughly and also determine the risk that such access poses to the data subjects. What is interesting, but not surprising is, that the authority also challenges the fact that such documented assessments have not been performed, independent of whether or not the respective access rights can be justified under the Swedish Patient Data Act, a complementary to the General Data Protection Regulation (GDPR). This is in line with the accountability principle according to Art. 5 para. 2 GDPR, which requires the data controller responsible for the processing, to be able to demonstrate compliance with the applicable data protection principles and rules.

According to its findings, the authority declared that seven of the eight audited providers, did not carry out the required ‘needs’ and risk analysis’. The resulting fine for these providers reached up to 2.9 million Euro.

The aforementioned will not only concern health care providers, but especially also any company in the medical/pharma sector processing health data. As a positive take away from these audits, the Swedish Data Protection Authority developed guidelines in order to help companies to conduct proper ‘needs’ and risk analysis’.