This website uses cookies to improve your browsing experience.
By continuing to use this website you consent to the use of cookies in accordance with our cookie policy. To find out more, click on this link: Read More Allow Cookies

Technology, innovation, law and tax

Just what the Data Protection Commission Ordered – Portuguese Hospital Fined €400,000 for Data Protection Breaches

By Sinead Corcoran and Elena Vassileva 
30 October, 2018

Earlier this year we reported on the Irish Data Protection Commission’s (the “DPC”) investigation into the hospitals sector. In the course of the investigation the DPC physically inspected twenty hospitals across the country and prepared a comprehensive report (the “Report”) identifying fourteen areas of concern ranging from controls in medical records libraries and security to consent for research and data retention. The Report set out over seventy recommendations, including:

  1. restriction of staff access to medical records libraries to those who have a current need therefor and routinely report on staff access thereto as well as general swipe card access throughout the campus to ensure no unauthorised access;
  2. prohibition from accessing or editing, via other users’ accounts, the records of personal data on hospital computer systems;
  3. where patient data held on patient information systems is accessible to other hospital facilities in the same geographical region, informing patients accordingly by means of patient information leaflets given to each patient and the legal basis for such data sharing being clarified; and
  4. where hospitals need to share personal or sensitive personal data with other hospital facilities during the course of a patient’s care or treatment, making the patients concerned aware of the necessity for such data sharing and giving them the opportunity to consent to it.

At the start of this week, it was reported that the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados) imposed a €400,000 fine on the Barreiro Hospital.

The reported breaches which resulted in the imposition of this significant fine were:

- access to patients’ medical records by non-medical professionals;
- a large discrepancy between the number of active users with a “doctor” profile and the actual number of doctors working in the hospital; and
- failure to segregate Barreiro Hospital patient data from archived data of other hospitals.

The resemblance between the concerns identified in the Report and the data protection breaches which gave rise to the imposition of a significant fine by the Portuguese Data Protection Authority is striking. While the full impact of the General Data Protection Regulation is yet to be seen, the message from European data protection authorities five months on is clear – identify data processing security risks, enhance data protection compliance and raise awareness among staff of individuals’ data protection rights.

For more information on the content of this blog post please contact:
Sinead Corcoran, Partner,, +353 21 4802780
Elana Vassileva, Solicitor,, + 353 21 2332817


Add Comment
Letter footer for printed documents
© 2021 Ronan Daly Jermyn
Web design by Granite Digital
Sign up to our newsletter