The Court recognised that the Finnish courts did not find in I's favour because she could not prove that her record had been misused, but said that "to place such a burden of proof on the applicant is to overlook the acknowledged deficiencies in the hospital’s record keeping at the material time."
"It is plain that had the hospital provided a greater control over access to health records … the applicant would have been placed in a less disadvantaged position before the domestic courts," the Court said. "For [this] Court, what is decisive is that the records system in place in the hospital was clearly not in accordance with the legal requirements."
The Court said that the existence of the right to sue if information is disclosed is not the same as protecting privacy in the first place. "What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here," it ruled. "The Court cannot but conclude that at the relevant time the State failed in its positive obligation under Article 8 (1) of the Convention to ensure respect for the applicant’s private life."
Data protection law expert Dr Chris Pounder of Pinsent Masons, the law firm behind OUT-LAW, said that the case establishes a vital link between the protection of personal information and a person's entitlement to privacy under human rights law. The European Convention on Human Rights is made into UK law by the Human Rights Act.
"The judgment is important because it links security of personal data to the human rights framework," said Pounder. "Organisations have to be proactive in their security practices and procedures. It is not sufficient to say that 'we will do something' security-wise – it will be important to show that that something has been done."
The Court awarded I €13,771 in damages and €20,000 in costs.
Have you read these related articles?
Newsletter:
