(Application no. 20511/03)
17 July 2008
This judgment will become final in the circumstances set out in Article 44 § 2 of the Convention. It may be subject to editorial revision.
In the case of I v. Finland,
The European Court of Human Rights (Fourth Section), sitting as a Chamber composed of:
David Thór Björgvinsson,
Mihai Poalelungi, judges,
and Lawrence Early, Section Registrar,
Having deliberated in private on 24 June 2008,
Delivers the following judgment, which was adopted on that date:
1. The case originated in an application (no. 20511/03) against the Republic of Finland lodged with the Court under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (“the Convention”) by a Finnish national (“the applicant”) on 20 June 2003. The President of the Chamber acceded to the applicant’s request not to have her name disclosed (Rule 47 § 3 of the Rules of Court).
2. The applicant was represented by Mr S. Heikinheimo, a lawyer practising in Helsinki. The Finnish Government (“the Government”) were represented by their Agent, Mr Arto Kosonen of the Ministry for Foreign Affairs.
3. The applicant alleged, in particular, a violation of Article 8 of the Convention.
4. On 19 January 2006 the President of the Fourth Section of the Court decided to give notice of the application to the Government. Under the provisions of Article 29 § 3 of the Convention, it was decided to examine the merits of the application at the same time as its admissibility.
I. THE CIRCUMSTANCES OF THE CASE
5. The applicant was born in 1960.
6. Between 1989 and 1994 the applicant worked on fixed-term contracts as a nurse in the polyclinic for eye diseases in a public hospital. From 1987 she paid regular visits to the polyclinic for infectious diseases of the same hospital, having been diagnosed as HIV-positive.
7. Early in 1992 the applicant began to suspect that her colleagues were aware of her illness. At that time hospital staff had free access to the patient register which contained information on patients’ diagnoses and treating doctors. Having confided her suspicions to her doctor in summer 1992, the hospital’s register was amended so that henceforth only the treating clinic’s personnel had access to its patients’ records. The applicant was registered in the patient register under a false name. Apparently later her identity was changed once again and she was given a new social security number.
8. In 1995 the applicant changed her job as her temporary contract was not renewed.
9. On 25 November 1996, the applicant complained to the County Administrative Board (lääninhallitus, länsstyrelsen), requesting it to examine who had accessed her confidential patient record. Upon request, the director in charge of the hospital’s archives filed a statement with the County Administrative Board, according to which it was not possible to find out who, if anyone, had accessed the applicant’s patient record as the data system revealed only the five most recent consultations (by working unit and not by person) and even this information was deleted once the file was returned to the archives.
10. In its decision of 20 October 1997 the County Administrative Board held that:
“Section 12 of the Patient’s Status and Rights Act (laki potilaan asemasta ja oikeuksista, lag om patientens ställning och rättigheter) provides that the health authorities and staff have to comply with the regulations issued by the Ministry for Social Affairs and Health (sosiaali- ja terveysministeriö, social- och hälsovårdsministeriet, “the Ministry”) when preparing and processing patient records. Pursuant to this section the Ministry has issued, on 25 February 1993, Regulation no. 16/02/93.
In the said Regulation it is noted that patients records must be prepared having due regard to the secrecy regulations and the protection obligation and the duty to take care pursuant to the Personal Files Act (henkilörekisterilaki, personregisterlagen; Act no. 471/1987). According to the duty to take care, precaution and good registering practices must be observed when gathering, depositing, using and delivering data and these must be done in a manner so as not to infringe unnecessarily the right to privacy of the registered person or his or her benefits and rights. The protection obligation means that data in patient records must be duly protected against unauthorised processing, use, destruction, amendment and theft (sections 3 and 26 of the Personal Files Act).
In the said Regulation it is also noted that the patient records must form an entity to ensure that outsiders cannot gain unauthorised access to them and that, in addition to the said obligations, in accordance with the Personal Files Act, the purpose of use of the said data can be taken into account. This way it can be made sure that requisite patient data are only given to the personnel participating in the treatment of the patient.
[The applicant] has in her representations alleged that [X], who is working for [the hospital] has ordered up the case history of [the applicant’s ex-husband] and that someone else has ordered up her file or visited the archives and read her file and/or that of [her son] and that the data have been transmitted to [Y] and other staff mentioned in [the applicant’s] representations.
[X] has contested having proceeded erroneously. The other persons mentioned in [the applicant’s] representations have contested having had knowledge of the data mentioned therein concerning [the applicant] and her family.
According to the director in charge of [the hospital’s] archives it is not possible to retroactively clarify the use of patient records. The data system reveals only the five most recent consultations (by working unit and not by person) but this information is deleted once the file has been returned to the archives.
Therefore, the County Administrative Board cannot further rule on whether information contained in the patient records has been used by or given to an outsider.
Having regard to the foregoing, the County Administrative Board however finds that the system should record any consultation of patient files as a safeguard of privacy in order to ensure that the responsibility for a possible leak of information can be individualised. For the future, the County Administrative Board draws the hospital’s attention to the protection obligation and the duty to take care provided by the Personal Files Act, and further, to the need to ensure that privacy protection is not put at risk when processing medical data within the hospital. ...”
11. Subsequently, in March 1998, the hospital’s register was amended in that it became possible retrospectively to identify any person who had accessed a patient record.
12. On 15 May 2000, the applicant instituted civil proceedings against the District Health Authority (sairaanhoitopiirin kuntayhtymä, samkommunen för sjukvårdsdistriktet), which was responsible for the hospital’s patient register, claiming non-pecuniary and pecuniary damage for the alleged failure to keep her patient record confidential.
13. On 10 April 2001, the District Court (käräjäoikeus, tingsrätten), having held an oral hearing, rejected the action. Having assessed the evidence before it, including five witness statements, the decision of the County Administrative Board and a statement of the Data Protection Ombudsman (tietosuojavaltuutettu, dataombudsmannen), the court did not find firm evidence that the applicant’s patient record had been unlawfully consulted.
14. The applicant appealed to the Court of Appeal (hovioikeus, hovrätten), maintaining her claim that the hospital had not complied with the domestic law, in breach of her right to respect for her private life.
15. On 7 March 2002, the Court of Appeal, having held an oral hearing, considered that the applicant’s testimony about the events, such as her colleagues’ hints and remarks about her HIV infection, was reliable and credible. Like the District Court it did not, however, find firm evidence that her patient record had been unlawfully consulted. It ordered the applicant to reimburse the respondent’s legal expenses before the District Court and the Court of Appeal, amounting to 2,000 euros (EUR) and EUR 3,271.80 plus interest, respectively.
16. In her application for leave to appeal to the Supreme Court (korkein oikeus), the applicant claimed inter alia that there had been a violation of her right to respect for her private life.
17. On 23 December 2002 the Supreme Court refused leave to appeal.
II. RELEVANT DOMESTIC LAW AND PRACTICE
18. The Finnish Constitution Act (Suomen hallitusmuoto, Regeringsform för Finland; Act no. 94/1919, as amended by Act no. 969/1995) was in force until 1 March 2000. Its section 8 corresponded to Article 10 of the current Finnish Constitution (Suomen perustuslaki, Finlands grundlag; Act no. 731/1999), which provides that everyone’s right to private life is guaranteed.
19. Until 1 June 1999, the rules governing the use and confidentiality of personal data were laid down in the Personal Files Act of 1987. Sections 6 and 7 of the Act prohibited the processing of sensitive personal data, including information on a person’s health and medical treatment, except within the health authorities. Unauthorised disclosure of personal data was prohibited under section 18 and illegal use of disclosed data was prohibited under section 21. Pursuant to section 26 the data controller had to ensure that personal data and information contained therein were appropriately secured against any unlawful processing, use, destruction, amendment and theft. In this regard, the explanatory report of the Government Bill (no. 49/1986) for the enactment of the Personal Files Act stated that the mere existence of legal provisions did not suffice to guarantee the protection of privacy. In addition, the data controller had to make sure that data were protected de facto. When planning the physical protection of the data system regard must be had to, inter alia, whether the system was manual or automated. The delicate nature of the information naturally affected the scope of the protection obligation. Under section 42, the data controller was liable to compensate pecuniary damage suffered as a result of the use or disclosure of incorrect personal data or of unlawful use or disclosure of personal data.
20. On 1 June 1999, a new Personal Data Act (henkilötietolaki, personuppgiftslag; Act no. 523/1999) entered into force. Section 11 of the Act prohibits processing of sensitive personal data. However, under section 12, health care professionals may process data relating to a person’s state of health, illness, handicap or treatment if they are indispensable in his/her treatment. Section 32 provides that the data controller shall carry out the technical and organisational measures necessary for securing personal data against unauthorised access, accidental or unlawful destruction, manipulation, disclosure and transfer as well as against other unlawful processing. Section 33 lays down a secrecy obligation for those who have gained knowledge of someone’s personal circumstances. Under section 47, the data controller is liable to compensate pecuniary and other damage suffered by the data subject or another person as a result of the processing of personal data in violation of the provisions of the Act.
21. The Patient’s Status and Rights Act entered into force on 1 March 1993. Section 12, as in force until 1 August 2000, provided that the health authorities had to comply with the regulations issued by the Ministry for Social Affairs and Health (“the Ministry”) when creating and processing patients’ personal and medical data.
22. According to the Ministry’s Regulation no. 16/02/93, issued on 25 February 1993, a patient’s privacy had to be secured when creating and processing his/her patient record. The data controller had to make sure that outsiders could not gain unauthorised access to sensitive personal data and that only the personnel treating a patient had access to his/her patient register.
23. Section 13 of the Patient’s Status and Rights Act provided that health care professionals or other persons working in a health care unit were not allowed to reveal to an outsider (that is a person not participating in the treatment of the patient) information contained in the patient documents without the written consent of the patient. The said section has been amended as of 1 August 2000 (Act no. 653/2000) to the effect that it must be recorded in the data file if patient records have been revealed as well as the grounds for the disclosure.
24. Further, the Health Care Professionals Act (laki terveydenhuollon ammattihenkilöistä, lag om yrkesutbildade personer inom hälso- och sjukvården; Act no. 559/1994) contains provisions on the retention of patient documents and their confidentiality (section 16) and on the obligation of secrecy (section 17).
25. Finally, the new Electronic Processing of Client Information Act (laki sosiaali- ja terveydenhuollon asiakastietojen sähköisestä käsittelystä, lag om elektronisk behandling av klientuppgifter inom social- och hälsovården; Act no. 159/2007) entered into force on 1 July 2007. The aim of this Act is to further enforce patients’ rights in the context of the processing of electronic personal data within the social and health care.
I. ALLEGED VIOLATION OF ARTICLE 8 OF THE CONVENTION
26. The applicant complained that the district health authority had failed in its duties to establish a register from which her confidential patient information could not be disclosed.
Article 8 of the Convention reads as follows:
“1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
27. The Government contested that argument.
28. The Court notes that the application is not manifestly ill-founded within the meaning of Article 35 § 3 of the Convention. It further notes that it is not inadmissible on any other grounds. It must therefore be declared admissible.
1. The parties’ submissions
29. The applicant submitted that the measures taken by the domestic authorities to safeguard her right to respect for her private life had not been sufficient. At the relevant time, at the beginning of the 1990s, the hospital’s data system was not controlled as provided in the law. Anyone working in the hospital could have accessed her patient record as the hospital register retained only the five most recent users’ identification data (usually not the users’ names but only their working units). Furthermore, the data were deleted after the file was returned to the archives. It was only after the decision of the County Administrative Board of 20 October 1997 that the hospital’s data system was changed.
30. In her view a retrospective control would have been of vital importance. The data system should have indicated who had accessed her patient record so as to make it possible to find out whether access had been lawful. The domestic courts rejected her claim for compensation for the reason that she could not identify a person who had obtained information about her illness from her patient record. She was, however, unable to prove her claims only because the data control system in the hospital was inadequate at the relevant time.
31. The Government considered that there was no violation of the applicant’s right within the meaning of Article 8 as the Finnish legislation at the time guaranteed the secrecy of a person’s health information and, in principle, all patient information was kept secret. Only those participating in the patient’s treatment were entitled to process data concerning him or her.
32. Further, the data controller was obliged to ensure that unauthorised persons could not see and process personal data. The controller was responsible for protecting personal data and had as a matter of strict liability to compensate any damage caused. Furthermore, although the legislation did not contain any detailed provisions on the keeping and retention of log-in files, the data controller had a general legal obligation to control the use of personal data files.
33. As to the instant case, the Government admitted that in the early 1990s the use of the patient register in the hospital concerned was controlled by storing the identification data of the five most recent users of a patient record. Later, in 1998, the management system was changed so that each consultation of a patient record was logged and stored.
34. The Government further stressed that a hospital’s system for recording and retrieving patient information could only be based on detailed instructions and their observance, the high moral standards of the personnel, and a statutory secrecy obligation. Relevant detailed instructions had been drafted at the hospital; the personnel were allowed to obtain information from the register only for strictly limited purposes. It would not have been possible for the hospital to create a system verifying in advance the authenticity of each request for information as patient records were often needed urgently and immediately. Finally, the Government pointed out that the procedural guarantees were fulfilled in that the applicant had the right to initiate court proceedings in the event of any defective handling of her patient data.
2. The Court’s assessment
35. The hospital was a public hospital for whose acts the State is responsible for the purposes of the Convention (see Glass v. the United Kingdom, no. 61827/00, § 71, ECHR 2004-II). The processing of information relating to an individual’s private life comes within the scope of Article 8 § 1 (see Rotaru v. Romania [GC], no. 28341/95, § 43, ECHR 2000-V, Leander v. Sweden, judgment of 26 March 1987, Series A no. 116, § 48). Personal information relating to a patient undoubtedly belongs to his or her private life. Article 8 is therefore applicable in the instant case. Indeed, this has not been contested by the parties.
36. Although the object of Article 8 is essentially that of protecting the individual against arbitrary interference by the public authorities, it does not merely compel the State to abstain from such interference: in addition to this primarily negative undertaking, there may be positive obligations inherent in an effective respect for private or family life (see Airey v. Ireland, judgment of 9 October 1979, Series A no. 32, p. 17, § 32). These obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves (see X and Y v. the Netherlands, judgment of 26 March 1985, Series A no. 91, p. 11, § 23; Odièvre v. France [GC], no. 42326/98, ECHR 2003-III).
37. The Court observes that it has not been contended before it that there was any deliberate unauthorised disclosure of the applicant’s medical data such as to constitute an interference with her right to respect for her private life. Nor has the applicant challenged the fact of compilation and storage of her medical data. She complains rather that there was a failure on the part of the hospital to guarantee the security of her data against unauthorised access, or, in Convention terms, a breach of the State’s positive obligation to secure respect for her private life by means of a system of data protection rules and safeguards. The Court will examine the case on that basis, having regard in particular to the fact that in the domestic proceedings the onus was on the applicant to prove the truth of her assertion.
38. The protection of personal data, in particular medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention. Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general. The above considerations are especially valid as regards protection of the confidentiality of information about a person’s HIV infection, given the sensitive issues surrounding this disease. The domestic law must afford appropriate safeguards to prevent any such communication or disclosure of personal health data as may be inconsistent with the guarantees in Article 8 of the Convention (see Z v. Finland, judgment of 25 February 1997, Reports of Judgments and Decisions 1997-I, §§ 95-96).
39. The Court notes that at the beginning of the 1990s there were general provisions in Finnish legislation aiming at protecting sensitive personal data. The Court attaches particular relevance to the existence and scope of the Personal Files Act of 1987 (see paragraph 19 above). It notes that the data controller had to ensure under section 26 that personal data were appropriately secured against, among other things, unlawful access. The data controller also had to make sure that only the personnel treating a patient had access to his or her patient record.
40. Undoubtedly, the aim of the provisions was to secure personal data against the risk of unauthorised access. As noted in Z v. Finland, the need for sufficient guarantees is particularly important when processing highly intimate and sensitive data, as in the instant case, where, in addition, the applicant worked in the same hospital where she was treated. The strict application of the law would therefore have constituted a substantial safeguard for the applicant’s right secured by Article 8 of the Convention, making it possible, in particular, to police strictly access to an disclosure of health records.
41. However, the County Administrative Board found that, as regards the hospital in issue, the impugned health records system was such that it was not possible to retroactively clarify the use of patient records as it revealed only the five most recent consultations and that this information was deleted once the file had been returned to the archives. Therefore, the County Administrative Board could not determine whether information contained in the patient records of the applicant and her family had been given to or accessed by an unauthorised third person (see paragraph 10 above). This finding was later upheld by the Court of Appeal following the applicant’s civil action. The Court for its part would also note that it is not in dispute that at the material time the prevailing regime in the hospital allowed for the records to be read also by staff not directly involved in the applicant’s treatment.
42. It is to be observed that the hospital took ad hoc measures to protect the applicant against unauthorised disclosure of her sensitive health information by amending the patient register in summer 1992 so that only the treating personnel had access to her patient record and the applicant was registered in the system under a false name and social security number (see paragraph 7 above). However, these mechanisms came too late for the applicant.
43. The Court of Appeal found that the applicant’s testimony about the events, such as her colleagues’ hints and remarks beginning in 1992 about her HIV infection, was reliable and credible. However, it did not find firm evidence that her patient record had been unlawfully consulted (see paragraph 15 above).
44. The Court notes that the applicant lost her civil action because she was unable to prove on the facts a causal connection between the deficiencies in the access security rules and the dissemination of information about her medical condition. However, to place such a burden of proof on the applicant is to overlook the acknowledged deficiencies in the hospital’s record keeping at the material time. It is plain that had the hospital provided a greater control over access to health records by restricting access to health professionals directly involved in the applicant’s treatment or by maintaining a log of all persons who had accessed the applicant’s medical file, the applicant would have been placed in a less disadvantaged position before the domestic courts. For the Court, what is decisive is that the records system in place in the hospital was clearly not in accordance with the legal requirements contained in section 26 of the Personal Files Act, a fact that was not given due weight by the domestic courts.
45. The Government have not explained why the guarantees provided by the domestic law were not observed in the instant hospital. The Court notes that it was only in 1992, following the applicant’s suspicions about an information leak, that only the treating clinic’s personnel had access to her medical records. The Court also observes that it was only after the applicant’s complaint to the County Administrative Board that a retrospective control of data access was established (see paragraph 11 above).
46. Consequently, the applicant’s argument that her medical data were not adequately secured against unauthorised access at the material time must be upheld.
47. The Court notes that the mere fact that the domestic legislation provided the applicant with an opportunity to claim compensation for damages caused by an alleged unlawful disclosure of personal data was not sufficient to protect her private life. What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here.
48. The Court cannot but conclude that at the relevant time the State failed in its positive obligation under Article 8 § 1 of the Convention to ensure respect for the applicant’s private life.
49. There has therefore been a violation of Article 8 of the Convention.
II. ALLEGED VIOLATIONS OF ARTICLES 6 AND 13 OF THE CONVENTION
50. The applicant complained of a violation of Articles 6 and 13 as she, as a complainant, bore the burden of proof to show that some of her colleagues had unlawfully accessed her patient records but that she was unable to obtain evidence about this due to the deficient safeguards in her data register.
51. Having regard to the finding relating to Article 8, the Court considers that it is not necessary to examine this aspect of the application (see, among other authorities, Sallinen and Others v. Finland, no. 50882/99, § 102, 110, 27 September 2005, Copland, cited above, §§ 50-51).
III. APPLICATION OF ARTICLE 41 OF THE CONVENTION
52. Article 41 of the Convention provides:
“If the Court finds that there has been a violation of the Convention or the Protocols thereto, and if the internal law of the High Contracting Party concerned allows only partial reparation to be made, the Court shall, if necessary, afford just satisfaction to the injured party.”
53. Under the head of pecuniary damage the applicant claimed 38,115.53 euros (EUR) made up of the following sums: EUR 20,000 for loss incurred following the hospital’s refusal to renew her work contract as a result of which she had been unemployed during the period 22 September 1993 to 1 June 1995; EUR 5,988.06 for legal costs which she was ordered to reimburse to the hospital; EUR 446.79 for the costs of a private detective in order to uncover evidence for the compensation proceedings; EUR 11,680.67 for economic loss flowing from the sale of her home since she had to move house due to the rumours concerning her disease.
Under the head of non-pecuniary damage she claimed EUR 30,000 for the distress caused by the need to change her place of work and the fact that the rumours about her HIV infection had affected her son’s life.
54. The Government admitted that the hospital’s legal fees less an execution fee and interest on overdue payment (EUR 216.26 in total), that is EUR 5,771.80 might be awarded under the head of pecuniary damage.
As to non-pecuniary damage, they submitted that only the applicant could be awarded compensation and that it should not exceed EUR 3,000.
55. The Court does not discern a sufficient causal link between the violation found and the pecuniary damage alleged save for the hospital’s actual legal costs of EUR 5,771.80 which the applicant was ordered to reimburse in the domestic proceedings.
The Court finds it established that the applicant must have suffered non-pecuniary damage as a result of the State’s failure to adequately secure her patient record against the risk of unauthorised access. It considers that sufficient just satisfaction would not be provided solely by the finding of a violation and that compensation has thus to be awarded. Deciding on an equitable basis, it awards the applicant EUR 8,000 under this head.
B. Costs and expenses
56. The applicant also claimed EUR 15,758.25 for the costs and expenses incurred before the domestic courts, including EUR 500 for her own expenses such as telephone and travel costs, and EUR 5,570 for those incurred before the Court, including EUR 200 for her own expenses such as those mentioned above.
57. The Government considered that the award should not exceed EUR 12,000 (inclusive of value-added tax).
58. The Court reiterates that an award under this head may be made only in so far as the costs and expenses were actually and necessarily incurred in order to avoid, or obtain redress for, the violation found (see, among other authorities, Hertel v. Switzerland, judgment of 25 August 1998, Reports 1998-VI, p. 2334, § 63). Furthermore, the Court reiterates that under Article 41 of the Convention no awards are made in respect of the time or work put into an application by the applicant as this cannot be regarded as monetary costs actually incurred by him or her (see Lehtinen v. Finland (no. 2), no. 41585/98, § 57, 8 June 2006). In the present case, regard being had to the information in its possession and the above criteria, the Court considers it reasonable to award the total sum of EUR 20,000 (inclusive of value-added tax) for costs and expenses in the domestic proceedings and the proceedings before the Court.
C. Default interest
59. The Court considers it appropriate that the default interest should be based on the marginal lending rate of the European Central Bank, to which should be added three percentage points.
FOR THESE REASONS, THE COURT UNANIMOUSLY
1. Declares the application admissible;
2. Holds that there has been a violation of Article 8 of the Convention;
3. Holds that there is no need to examine the complaints under Articles 6 and 13 of the Convention;
(a) that the respondent State is to pay the applicant, within three months from the date on which the judgment becomes final in accordance with Article 44 § 2 of the Convention, the following amounts:
(i) EUR 5,771.80 (five thousand seven hundred and seventy-one euros and eighty cents), plus any tax that may be chargeable, in respect of pecuniary damage;
(ii) EUR 8,000 (eight thousand euros), plus any tax that may be chargeable, in respect of non-pecuniary damage;
(iii) EUR 20,000 (twenty thousand euros), plus any tax that may be chargeable to the applicant, in respect of costs and expenses;
(b) that from the expiry of the above-mentioned three months until settlement simple interest shall be payable on the above amounts at a rate equal to the marginal lending rate of the European Central Bank during the default period plus three percentage points;
5. Dismisses the remainder of the applicant’s claim for just satisfaction.
Done in English, and notified in writing on 17 July 2008, pursuant to Rule 77 §§ 2 and 3 of the Rules of Court.
Lawrence Early Nicolas
I v. FINLAND JUDGMENT
I v. FINLAND JUDGMENT