Deficiencies in how healthcare providers control staff access to patient journal data

7 December 2020

The Swedish Data Protection Authority has audited eight health care providers in how they govern and restrict personnel’s access to the main systems for electronic health records. The DPA has discovered insufficiencies that in seven of the eight cases lead to administrative fines of up to SEK 30 million.

The Swedish Data Protection Authority has now concluded a review of eight health care providers. What has been examined primarily is whether the health care providers have conducted the needs' and risk analysis required in order to assign an adequate access authorisation for personal data in the electronic health records.

— Health care providers must carry out a thorough analysis and assessment of the personnel's need to access information in the health records and the risks that accessing patient data includes, according to the Swedish Patient Data Act that is complementary to the GDPR. Without such analysis, health care providers cannot assign the personnel a correct level of authorisation, which in turn means that the organisations cannot guarantee patients' right to privacy protection," says Magnus Bergström, coordinator of the eight audits.

The Swedish Data Protection Authority notes that seven of the health care providers have not carried out a needs' and risk analysis, while one care provider has carried out an analysis that, however, includes some shortcomings.

The authority concludes that seven of the health care providers do not limit the users' access authorisation to the respective patient journal system to what is strictly necessary for the performance of their tasks.

— This means that the seven health care providers have not taken appropriate measures to ensure and be able to demonstrate a sufficient level of security for the personal data in the electronic health record systems.

The deficiencies of seven healthcare providers are so serious that they result in administrative fines of between SEK 2.5 to 30 million. The calculation of the amount of the fine differs significantly depending on whether it is a private company or a public authority. For companies, the maximum fine is EUR 20 million or four percent of the company's global annual turnover, whichever highest. For authorities, in Sweden the maximum fine is SEK 10 million.

The Swedish Data Protection Authority has developed guidelines that summarises the conclusions from the audits with regards to the obligation to conduct needs' and risk analyses.

— This guidance points to the importance of health care providers ensuring that needs' and risk analyses are carried out. The aim is to help care providers in conducting such analyses, which need to be carried out before any access authorisation is assigned in a health record system. Our hope is now that all the healthcare providers in the country use this guidance in their work to ensure that authorisation is correctly done, in order to guarantee patients the privacy protection they are entitled to, says Magnus Bergström.

To read the original press release in Swedish, click here

For further information, please contact the Swedish SA:


The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.