The Court made its ruling based on Article 8 of the European
Convention on Human Rights, which guarantees every citizen the
right to a private life. It said that it was uncontested that the
confidentiality of medical records is a vital component of a
private life.
The Court ruled that public bodies and governments will fall
foul of that Convention if they fail to keep data private that
should be kept private.
The woman in the case did not have to show a wilful publishing
or release of data, it said. A failure to keep it secure was enough
to breach the Convention.
A Finnish woman worked in an eye clinic where she also received
treatment, having been diagnosed as having AIDS.
The woman began to suspect that news of her disease had spread
to other employees and asked to be shown who had accessed her
medical records and when. The health authorities only kept a note
of the last five people to have accessed a record.
The woman, known in the case as I, sued the District Health
Authority for failing to keep her medical records confidential.
She lost that case because the court found that there was no
firm evidence that her record had been accessed unlawfully. She
also lost her appeal, and was refused permission to take her case
to Finland's Supreme Court.
The Court of Human Rights found that there were privacy laws in
place in Finland when the incidents occurred that required medical
data to be properly protected. Had these been strictly followed, it
found, I's records would have had enough protection.
The Court recognised that the Finnish courts did not find in I's
favour because she could not prove that her record had been
misused, but said that "to place such a burden of proof on the
applicant is to overlook the acknowledged deficiencies in the
hospital’s record keeping at the material time."
"It is plain that had the hospital provided a greater control
over access to health records … the applicant would have been
placed in a less disadvantaged position before the domestic
courts," the Court said. "For [this] Court, what is decisive is
that the records system in place in the hospital was clearly not in
accordance with the legal requirements."
The Court said that the existence of the right to sue if
information is disclosed is not the same as protecting privacy in
the first place. "What is required in this connection is practical
and effective protection to exclude any possibility of unauthorised
access occurring in the first place. Such protection was not given
here," it ruled. "The Court cannot but conclude that at the
relevant time the State failed in its positive obligation under
Article 8 (1) of the Convention to ensure respect for the
applicant’s private life."
Data protection law expert Dr Chris Pounder of Pinsent Masons,
the law firm behind OUT-LAW, said that the case establishes a vital
link between the protection of personal information and a person's
entitlement to privacy under human rights law. The European
Convention on Human Rights is made into UK law by the Human Rights
Act.
"The judgment is important because it links security of personal
data to the human rights framework," said Pounder. "Organisations
have to be proactive in their security practices and procedures. It
is not sufficient to say that 'we will do something' security-wise
– it will be important to show that that something has been
done."
The Court awarded I €13,771 in damages and €20,000 in costs.
