In February 2022, the East Tallinn Central Hospital (ITK) renovated its Magdaleena unit. During this process, an unknown number of old patient records containing sensitive personal information and diagnoses were discarded by construction workers, who threw the documents into an open container standing in front of the hospital. This left individuals' health data freely accessible to anyone.

The Data Protection Inspectorate initiated proceedings, which concluded a year later with a €200,000 fine. The hospital, however, appealed the decision, going through all legal stages.

"ITK was fined for leaving physical medical records intended for destruction unsecured, allowing unauthorized persons to access them. The county court actually overturned our fine decision, stating that Estonian law conflicts with European Union law. Despite the negative outcome and the fine being canceled, the violation was substantively confirmed, and the subsequent legal developments highlight the complexities of the law," explained Pille Lehis, director general of the Data Protection Inspectorate.

According to the Estonian Penal Code, before penalizing a company, it is required to identify an employee responsible for the same offense within the company, and only then can the legal entity be fined.

This legal complexity culminated in the Supreme Court, which decided to terminate the case last week due to the expiration of the statute of limitations, leaving the case unresolved on its merits. The court panel found that courts are expected to complete misdemeanor proceedings before the statute of limitations expires only if they are given a reasonable time to do so. In this case, the court concluded that such time was not provided.

"Legally, the case remains unresolved due to the statute of limitations, which means the court cannot make a final decision. The law provides either two or three years to resolve misdemeanors, within which a final decision must be reached," said Saale Laos, chairperson of the Supreme Court's Criminal Chamber.

The panel attributed the delays to both the Data Protection Inspectorate, which sat on the information for seven months without action, causing a year to pass before reaching the fine decision, and the county court, which unjustifiably postponed the publication of the court's full text decision three times.

"When organizations are small and people come and go, these situations can sometimes arise, where there is a lack of continuity in proceedings. Unfortunately, this case was handled by several different people, which is also a reality of life. But, of course, we also need to look in the mirror," commented Lehis.

The end result is that individuals whose health data were left in the construction container remained unprotected. They were not even informed of this situation.

--

Follow ERR News on Facebook and Twitter and never miss an update!