Violation of data minimisation leads to administrative fine

The Finnish DPA has fined the Finnish Motor Insurers’ Centre, after this controller was found to be in violation of data minimisation. 

The Finnish DPA has fined the Finnish Motor Insurers’ Centre over their inability to adhere to the principle of data minimisation. The company was fined late last year, for collecting an unnecessary amount of data from patients for health insurance claims, according to this report by the EDPB. The Finnish Motor Insurers’ Centre’s practices in requesting patient records from health care providers for claims handling purposes were investigated by the Office of the Data Protection Ombudsman. The Finnish DPA found that this controller systematically requested more information than necessary. The controller was fined €52,000 as a result. 

The Finnish Motor Insurers’ Centre requested unredacted patient records, which contained more information that is considered necessary for insurance claims. 

The Finnish Motor Insurers’ Centre requested unredacted patient records from health care providers in order to settle claims as this controller expected to have the right to collect extensive patient information. This information included the facts of patients’ health care appointments to determine whether the health care provider had charged for visits unrelated to the examination or treatment of injuries sustained in the relevant traffic incident. The controller also requested additional information in the event that the healthcare provider had omitted any pertinent information. 

The Data Protection Ombudsman determined that the practice of requesting this extensive information was a violation of the GDPR. 

The Data Protection Ombudsman determined that the controller’s systematic requests for full patient records of claimants instead of limiting their requests to the information necessary for claims was a violation of the GDPR. According to the EDPS, the principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specific purpose. The information collected must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. The data controller in this case, was therefore found to be in violation of the GDPR. The Data Protection Ombudsman stated that the Traffic Insurance Act does not give direct access to all patient records. As a matter of fact, the information requested must be only that which is necessary for the settlement of the claim. In addition, any information on an individual’s state of health should be disclosed to insurance companies in the form of a statement, according to the Finnish Medical Association.

While this decision is not final as the Finnish Motor Insurers’ Centre has appealed it in the administrative court, a fine of €52,000 has been imposed. The controller was also ordered to bring their practices into compliance.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Leave a Comment

(0 Comments)

Your email address will not be published.