Data Security and Human Rights

July 22, 2008

In I v Finland, the European Court of Human Rights (Fourth Section), sitting as a Chamber, has found that a person’s right to respect for their private life (under the ECHR, Article 8) may be breached where the State fails to take appropriate steps to secure that their data cannot be accessed improperly. Mere legislative protection and remedies are not enough, what is required of the State is ‘practical and effective protection to exclude any possibility of unauthorised access occurring in the first place’. The judgment was published on 17 July 2008 and can be accessed here.

The case concerns a Finnish woman who had some evidence that her health records had been accessed by work colleagues at the health establishment at which she was employed. Colleagues hinted about her HIV status and made remarks that suggested that they knew she was HIV positive. The domestic complaint of I failed, essentially because the data security system put in place to protect the data showed only the last five departments to access the record so no evidence could be found that showed improper access (although it may be that there was no such access).

Having exhausted her domestic remedies, the applicant went to Strasbourg. The European Court of Human Rights has given her a very sympathetic hearing:

37.  Although the object of Article 8 is essentially that of protecting the individual against arbitrary interference by the public authorities, it does not merely compel the State to abstain from such interference: in addition to this primarily negative undertaking, there may be positive obligations inherent in an effective respect for private or family life (see Airey v. Ireland, judgment of 9 October 1979, Series A no. 32, p. 17, § 32). These obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves (see X and Y v. the Netherlands, judgment of 26 March 1985, Series A no. 91, p. 11, § 23; Odièvre v. France [GC], no. 42326/98, ECHR 2003-III).
37.  The Court observes that it has not been contended before it that there was any deliberate unauthorised disclosure of the applicant’s medical data such as to constitute an interference with her right to respect for her private life. Nor has the applicant challenged the fact of compilation and storage of her medical data. She complains rather that there was a failure on the part of the hospital to guarantee the security of her data against unauthorised access, or, in Convention terms, a breach of the State’s positive obligation to secure respect for her private life by means of a system of data protection rules and safeguards. The Court will examine the case on that basis, having regard in particular to the fact that in the domestic proceedings the onus was on the applicant to prove the truth of her assertion.
38.  The protection of personal data, in particular medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention. Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general. The above considerations are especially valid as regards protection of the confidentiality of information about a person’s HIV infection, given the sensitive issues surrounding this disease. The domestic law must afford appropriate safeguards to prevent any such communication or disclosure of personal health data as may be inconsistent with the guarantees in Article 8 of the Convention (see Z v. Finland, judgment of 25 February 1997, Reports of Judgments and Decisions 1997 I, §§ 95-96).

The court judgment went on:

47.  The Court notes that the mere fact that the domestic legislation provided the applicant with an opportunity to claim compensation for damages caused by an alleged unlawful disclosure of personal data was not sufficient to protect her private life. What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here.
48.  The Court cannot but conclude that at the relevant time the State failed in its positive obligation under Article 8 § 1 of the Convention to ensure respect for the applicant’s private life.
49.  There has therefore been a violation of Article 8 of the Convention.