30th June 2023
30th June 2023
The ruling of The Data Protection Authority on the security of personal information in the prescription portal
The Data Protection Authority has, with its decision on June 27, proposed that the Directorate of Health takes measures to prevent unauthorized searches in the prescription portal and that the Office ensures that the searches in the prescription portal will be traceable to individual employees in pharmacies before September 1.
-Automatic translation
The office accepts the Data Protection Authority’s point of view (Icelandic) that the security of personal information is better ensured by more strict access control and logging and that the personal protection of individuals is better ensured by the measures proposed by the agency. The office has, since the preparation for the implementation of the current Medicines Act, maintained that individuals would be guaranteed the right to information about which employees have used access to their personal information, as stipulated in, for example, the Health Records Act. To guarantee those rights, it is necessary to stipulate them in law, but such a provision cannot be found now.
The beginning of the case can be traced back to a meeting called by the Directorate of Health with the Data Protection Authority and the Icelandic Medicines Agency regarding monitoring of information security and personal protection in pharmacies. The meeting was because a pharmacy license holder approached the office and requested information about their employees' inquiries related to individual customers. Subsequently, requests were also received from individual pharmacy customers for a summary of lookups.
The Directorate of Health has provided pharmacy customers with an overview of when and in which pharmacy information on the persons concerned was looked up, but the system does not record which employee was behind that lookup. Therefore, individuals need to contact the relevant pharmacy to get more information, for example, about the reason for the lookup when it does not lead to a prescription. This is because the employees get access to the prescription portal through the relevant pharmacy, and the Directorate of Health does not assign access to those systems.
In the decision of The Data Protection Authority, as mentioned above, the office is proposed to improve this and ensure that information about which employees look up results in the prescription portal. To that end, the office will take the following actions:
The office has already reiterated its request to the Ministry of Health that the necessary changes be made to regulations or laws to stipulate this duty of pharmacy license holders, as changes to their systems will result in increased costs for them.
The Icelandic Medicines Agency has, at the request of the Directorate of Health, already sent information to all pharmacies about the Data Protection Authority's decision and encouraged them to start preparations for changes to computer systems and procedures for the delivery of medicines to ensure traceability by September 1.
The Directorate of Health’s prescription portal is already ready to receive detailed information about lookups. Origo, the prescription portal’s service provider, will liaise with pharmacy dispensing system developers to help them make the necessary changes to the systems.
The Icelandic Medicines Agency and the Directorate of Health will jointly update the procedures regarding prescriptions and stipulate that access to pharmacy systems, which provide access to the prescription portal, must be individual, user actions recorded, and that information is sent to the Directorate of Health.
The Directorate of Health also intends to give individuals access to information about lookups in the prescription portal on My pages on Heilsuvera.is, which is an effective way to ensure transparency about the use of the system and thus increase information security and data protection.
The Directorate of Health believes that if these measures are implemented, the requirements of the Data Protection Authority will be met, as well as the public's legitimate demands for personal protection and information security in the prescription portal.
Further information:
Kjartan Hreinn Njálsson, assistant to the Medical Director of Health (kjartanh@landlaeknir.is).
Alma D. Möller, Medical Director of Health