Monday, September 01, 2008

ECHR case: I v Finland

The European Court of Human Rights (I v Finland, 20511/03) has recently ruled on this recent case surrounding the privacy protection of medical data. I have still yet to read through this judgment, but have a look at a short summary (via blogger Where is my Data):

On 17th July 2008, at the ECHR (Strasbourg), in the case “I” v Finland the court found against Finland, and awarded “I” €13,771 in damages and €20,000 in costs.

Outline of the Case:

The applicant “I”, now 48, stated that her private medical records were accessed by the other people (as a result of which she possibly lost her job as a nurse).

The access was not recorded, as there was no records of this at the time (around 1992)

The Court decided that as the hospital was controlled by the State, and as such Finland was responsible for the actions there. The court also stated that personal information relating to a patient undoubtedly belongs to his or her private life. Therefore Article 8, freedom to a private life, is applicable in this case.

The European Court of Human Rights found that a person’s right to respect for their private life (under the ECHR,) may be breached where the State fails to take appropriate steps to secure data, so that it cannot be accessed improperly.

While Article 8 not means the government must not interfere, but may also have to undertake positive actions to prevent such interference, e.g the adaption of systems/controls to protect data.

While Article 8 not means the government must not interfere, but may also have to undertake positive actions to prevent such interference, e.g the adaption of systems/controls to protect data.

In this case there is no statement that there was deliberate and unauthorized access of data, only that there was failure to secure the data appropriately. i.e a breach of Finland’s positive obligations under Article 8. The court found in favour of the Applicant.

Summary: The ECHR found that if personal data is not secured adequately, and the State does not take positive steps to do so (and not just legislation but technical and procedural steps as well), then the state is in breach of Article 8.


5 comments:

Ian said...

How does the United Nations Website Privacy Policy sit with this judgement?

http://www.un.org/privacy.htm

"By accessing this site, certain information about the User, such as Internet protocol (IP) addresses, navigation through the Site, the software used and the time spent, along with other similar information, will be stored on United Nations servers. These will not specifically identify the User. The information will be used internally only for web site traffic analysis. If the User provides unique identifying information, such as name, address and other information on forms stored on this Site, such information will be used only for statistical purposes and will not be published for general access. The United Nations, however, assumes no responsibility for the security of this information."

Whilst the UN political exemptions and protections are understandable, and their unique situation probably leads them to this type of conclusion about the security of any data they hold, would it be considered a proper application of those exemptions to use them in these particular circumstances?

Ian

DP Blog said...

If I have understood the question correctly, the question is about the UN's Website Privacy Policy in relation to the judgment.

I think this judgment is not the one you should consider (ECtHR), but rather the recent opinion from the Art. 29 Working Party on Data Protection (available at http://dataprotectionthinker.blogspot.com/2007/07/art-29-working-party-opinion-on.html) - many data protection commissioners already hold the view that IP addresses are personal data despite some disagreement about whether it identifies the individual. IP addresses, however, are useful in the context of filesharing activity and some organisations (music industry) have started to use software to collect IP addresses of users who use peer-to-peer networking activities. One is not convinced that the UN can readily identify that users have been navigating their websites (without further information) and even if that were the case, what could they do with the information? Another question is how do you deal with a smart 16 year old kid surfing the UN website for his school project? I will touch on this at some point, but IP addresses alone without more is insufficient to determine users' browsing activities. It is the aggregation of web pages, that makes the analysis slightly interesting. For further reading, a good starting point is EPIC's reading list on search engine privacy - http://epic.org/privacy/search_engine/. DP Thinker

Ian said...

I agree that whilst aggregated data can be particularly useful in all areas, it is the way that aggregated data is then interpreted or used which often causes a direct difficulty for privacy and DP both for data controllers and subjects, but that was not the purpose of the post.

It can be a common conceptual error to reason that privacy policies affect only items like IP addresses and browsing habits when those issues are covered in any policy first.

The UN policy goes on to state:

"If the User provides unique identifying information, such as name, address and other information on forms stored on this Site, such information will be used only for statistical purposes and will not be published for general access. The United Nations, however, assumes no responsibility for the security of this information."

and that form filled data is clearly more obviously visibly important for people who may contact the UN, or fill forms in regarding what may be sensitive information within their own country, even when doing so from within another one. It is equally much more directly and immediately related to the individual (and open to simple forgery), which is generically why that EUCtHR judgement seems broadly pertinent, relevant to it and worthy of a wider debate.


Ian

DP Blog said...

I can follow the main thrust of your argument here. Certainly, the ECtHR judgment will reiterate the importance of the security of personal information and that disregard or misuse may leave to severe penalties (monetary compensation). It should not be forgotten that ECHR has been ratified by most Member States, but I digress on this point.

Perhaps, to reinforce the need to ensure the security of personal information even on a website such as the UN is the likely consequences that may arise in cases of security breach. Not least, most European Member States have enacted data protection laws, and one of the Data Protection Principles (Art. 6 of the Directive 95/46/EC) includes the requirement that organisations take appropriate action to protect (ie. security) personal information.

Another pertinent issue is to question who the data protection/security IT officers are within the UN and request that the wording of the privacy policies be amended - it does raise another question that should visitors (of high esteem) decide to have their details inputted on the forms as you suggest and there is a lapse of security in procedures, it can prove quite damaging (in the sense of media attention etc).

DP Thinker

Ian said...

Thank you for your views of EU DP issues on this subject.

I agree that my original query regarding the potential appropriateness of the application of broad UN legal/treaty exemptions to this particular area in this context is a difficult one and one which perhaps belongs more to the ICJ courts than the arena of the EUCtHR.

The ICJ website itself has been more attuned to disclaiming responsibilities than attempting to electronically recognise or deal with privacy issues and does not have a privacy policy, so perhaps there is a cultural issue across that sphere, or some other influence.

I acknowledge your statement about asking for the wording to be changed and whilst legal issues can often prompt such actions making any approach from a poorly informed perspective would be wrong. The DPI/NGO conference in Paris at the moment would seem an appropriate place for these issues to be aired but unfortunately I am unable to get there. Maybe a reader of this blog may be able to.

Whilst there is a certain inevitability about a security breach of note occurring in the current circumstances of that statement, (consider media contacts with the organisation as well as political ones) there is no academic research benefit to generating one as it would potentially compromise my research and probably damage the UN significantly.

Thank you for the discussion I intend now to raise the issue within the JISC DP group to gain other perspectives.

Ian