Transferring the Health Data of a Data Subject to the Public Institution
The Personal Data Protection Board (“Board”) evaluated a complaint application regarding the transfer of a data subject's health data to a public institution for an administrative lawsuit in its decision dated 04.08.2023 and numbered 2022/790.
The complaint raised concerns about the request made by a public institution to a university hospital for information regarding the data subject, related to a lawsuit between the data subject and the public institution before an administrative court. The complaint argued that the transfer of the data subject's health data from the university hospital to the public institution constituted an unlawful processing of personal data.
The Board made the following explanations regarding the complaint;
Pursuant to Article 6/1 of the Law on the Protection of Personal Data No. 6698 (“DPL”), the health data of the data subject transferred to the public institution by the data controller falls into the scope of the special categories of personal data.
The public institution stated in its letter that the reason for requesting the data was "to serve as a basis for an ongoing administrative lawsuit." However, the data subject, in their complaint petition, stated that they were the plaintiff working in the public institution in question, while the defendant was the public institution involved in the administrative court lawsuit. Considering the data controller's defense regarding Article 8 of the DPL, it was evaluated that the conditions set forth in Article 6 of the DPL were not met in the processing activity related to the transfer of the special categories of personal data requested due to the ongoing administrative lawsuit between the data subject and the public institution.
In violation of the data minimization principle, more special categories of personal data were transferred than requested. The transfer included the medical report, anamnesis forms, epicrisis reports, consultation forms, patient medical clinical course information, pathology report, and radiology reports contained on a CD. The personal data was processed without considering the principle of "being processed for specified, explicit, and legitimate purposes" stipulated in Article 4/2-c of the Law.
The data subject claimed that the doctor misunderstood the data subject’s statements in the patient examination information section of the patient history form, where it was written that the data subject sporadically used marijuana. This information was obtained as a result of diagnostic questions asked by the doctor and contained information about the patient's current or past diseases. When the form with the statement was delivered to the public institution, a criminal complaint was filed against the data subject, but it was later determined that the data subject would not be prosecuted. The data controller did not respond to the data subject's request to delete the data and information regarding cannabis use. According to Article 13 of the Regulation on Personal Health Data, the data subject should first apply to the provincial health directorate regarding any health data claimed to be created by mistake. The data subject may request correction by applying to the provincial health directorate affiliated with the data controller, as there are regulations on the necessity of such applications and the actions to be taken to correct inadvertently created health data.
Although it has been stated by the data controller that the application of the data subject was not answered and implicitly rejected in accordance with Article 10 titled "The Silence of the Administrative Authorities" of the Administrative Procedure Law No. 2577. Article 13/2 of the DPL states that the requests of the data controller in the application must be concluded free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.
In this regard, the Board adopted the following decisions;
Regarding the transfer of special categories of personal data, it was concluded that the conditions specified in the DPL were not met. Although explicit consent from the data subject was not applicable, it was determined that the health data was transferred to the public institution in violation of the DPL. Additionally, since the shared information was broader in scope than requested, it was considered that the data controller university hospital did not fulfill its obligation to take all kinds of technical and administrative measures regarding the security of personal data under Article 12/1 of the DPL. Therefore, the data controller was instructed to take action against those responsible through disciplinary provisions and to inform the Board accordingly.
The data controller was instructed to take the necessary actions, both within its own body and, if necessary, by directing the relevant person, in accordance with Article 11 of the DPL, to address the data subject's right to request correction of their personal data. The actions should be taken before the provincial health directorate, and the Board should be informed of the result.
The data controller was instructed to take necessary actions to ensure the destruction of the transferred data at the public institution to which the data subject filed the complaint. The Board should be informed of the result of this transaction.
The data controller was reminded of the obligation to finalize data subject requests as soon as possible and within thirty days, based on the nature of the request, in accordance with the Law and the Communique on the Principles and Procedures for the Request to Data Controller.
Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş