Directorate of Health demands invalidation of the Data Protection Authority ruling
29th April 2024
The Directorate of Health has petitioned the District Court of Reykjavík to annul the decision of the Data Protection Authority from 27 July 2023.
-Automatic translation
The office considers the Data Protection Authority's decision to be substantively incorrect. The case concerns a security weakness in Heilsuvera's information system.
The office does not consider the Data Protection Authority's handling of the matter in question to be in accordance with the rules that are the basis of Icelandic law.
Furthermore, the decision of the Data Protection Authority, if it remains intact, will undermine the security culture and personal protection in Iceland and discourage otherwise responsible parties from reporting security breaches and incidents concerning the security of information systems. This can weaken institutions that operate and supervise essential information systems and reduce the critical role of the Data Protection Authority, which is to protect citizens' personal data.
The Directorate of Health makes several serious comments on the practice and procedure of the Data Protection Authority in the case. Among these, the office believes that there are both formal and substantive deficiencies in the Data Protection Authority's decision, the grounds for the decision are incorrect, and that the investigation of the case by the Data Protection Authority was insufficient. In addition, the decision of the fine is based on unlawful and unsubstantiated considerations. The Directorate of Health considers it important to have judicial consideration of various aspects of the Data Protection Act that are discussed in this case and are relevant both for the Directorate of Health and in general.
The Directorate of Health does not relinquish responsibility regarding the security weakness. It was dealt with quickly, without delay, and with a thorough analysis. It was also confirmed that no one misused the security weakness and that personal data did not fall into the hands of individuals who tried to use it illegally. Thus, the security weakness resulted in a minor security breach reported to the Data Protection Authority on the same day.
Further information
Kjartan Hreinn Njálsson, assistant to the Medical Director of Health
kjartan.h.njalsson@landlaeknir.is - Tel. 663-3624