[ad_1]
There are test results on covid-19, which constitute personal health data, to be communicated to the entities that financed them, whether they are city councils or businessmen, which can constitute a very serious violation of data protection regulations. If the infringement is confirmed, it should result in a fine of up to € 20 million. The National Commission for Data Protection (CNPD) has already received some complaints in this area and is currently investigating a process involving a public entity. However, he did not receive any participation in a case that drew the attention of the PUBLIC.
It all started at the end of April when the Chamber of Castelo Branco bought 5000 tests from Hemobiolab – Laboratory of Clinical Analysis to detect who had already been exposed to the SARS-CoV-2 virus. Of these, the municipality assigned, free of charge, 1782 to teachers and employees of the municipal schools and the Polytechnic Institute of Castelo Branco (IPCB). All these results were communicated by the laboratory to the municipality, which, in turn, individually contacted the employees whose tests detected that there was contact with the new coronavirus.
In the case of the polytechnic, it was the institute itself that, after receiving the results of the camera, informed the professionals if they had already been exposed to the SARS-CoV-2.
The municipality, without responding if this process compromises medical confidentiality, confirmed the process to the PUBLIC. “The results of the tests that showed that there was contact with the new coronavirus have been communicated by the city council directly to each person, individually and confidentially. In the case of the IPCB, the municipality communicated the results, which they informed their employees, ”says the municipality.
To justify the option, the municipality adds: “The serological tests have been carried out in the context of population screening and not by clinical prescription and, as such, the results of these tests are communicated to the entity responsible for screening, the municipality.”
The IPCB confirms that it received the results of the chamber and communicated them to the professionals of the institution. “Between September 29 and October 2, serological tests were carried out on 390 professors and employees of the Polytechnic Institute of Castelo Branco, who volunteered for this purpose. The tests were carried out by the municipality of Castelo Branco, so it was the same who received the results and who communicated them, confidentially, to the IPCB, which, in turn, reported directly and individually to each person analyzed ”.
The Hemobiolab laboratory does not recognize any data protection violation and justifies sending the results to the room because the contract had the “Civil Protection of the municipality” as interlocutor, a reference that does not appear in the document, nor is it invoked by the Albiastrense autarky. . “Civil Protection is the entity that locally coordinates all actions to protect the population, including the health area of the municipality, being empowered by legal regulations as a public health body,” argues Hemobiolab, insisting that it respected the regulations. Data Protection. Since the PUBLIC did not find any norm that attributed competences as a public health organ to the municipal civil protection – remember that the public health authority in Portugal is the Director General of Health, which has regional structures and municipalities in its dependency, the delegates regional health and municipalities -, asked the laboratory to identify the diploma where it appears, which did not happen until the end of this edition.
In a written response signed by Miguel Santos, president of the board of directors of the Affidea group, of which this laboratory is a member, Hemobiolab says that it delivered, “as contractually defined, the results to the entity that contracted the service and that has the competence to what to do, as well as all those who individually requested access to their respective results ”. The company also says that it “is not aware of and is not responsible for any subsequent exchange of data.”
The general secretary of the CNPD, Isabel Cruz, assured the PUBLIC that the entity did not receive any participation in this case. However, he reports that “some complaints” have reached the commission, of which at least one led to the opening of a case that is currently under investigation. “It is a public entity that made a protocol with a laboratory to test employees for the new coronavirus. The results will have been sent to the directors of each service, who will have transmitted them by telephone to the infected ”, he explains.
The secretary general of the commission says that, in abstract, both this and the situation in Castelo Branco constitute violations of article 9 of the General Data Protection Regulation, which can result in the application of a counter order that can reach 20 million of euros.
