Originally published on Redaccion Medica
According to the Data Protection Agency findings, the information was used for purposes other than those authorised.
The AEPD (Spanish Data Protection Agency) has fined the Jehovah’s Witnesses €10,000 for collecting data from medical staff and patients without prior authorization.
The religious institution has a Hospital Liaison Committee (HLC) in each province that visits the hospitals to establish a degree of collaboration with the medical staff in accord with the beliefs of the Jehovah’s Witnesses, “which is only to perform surgeries without blood transfusions”, it stated in its response to the Agency which Redacción Médica has access to.
When collecting this data, as demonstrated by the findings, the HLC members overreached their duties, gathering information without requesting the relevant permission as stipulated by law. The Jehovah’s Witnesses filed an appeal after the ruling, but it was rejected.
The document described rights as the basis of the existence of data that had been “stored, preserved, and involved the processing of data without consent that can therefore be inferred that they form part of a file”. Moreover, the findings showed certain inaccuracies of the Committee members: “The statement from an HLC member that the database had been destroyed, lacked truthfulness when it was verified that it existed in 2014 and continued to exist in 2017, when an official inspection was made.”
Regarding the allegation of the defendant as to whether the data obtained from the medical personnel n their files fall under the scope of the Data Protection Act, the AEPD clearly explains that their data deals with medical personnel “who provide services in public hospitals as well as historical data collected from personal interviews and their willingness to collaborate with the defendant. The notes of the collaborators / consultants that appear in their database, are not from the medical personnel but rather have been created by the defendant.”
Purpose of the data collected
According to the information that we have had access to, the databases analysed “did not seek to contact the company / hospital but did so with each and every one of the individual’s specialist doctors , member’s files, including several physicians within the same specialty in some cases, appreciating that the origin and transfer of the data come directly from the work of the HLC who update the database.” Therefore, the AEPD affirms that “only a direct relationship with physicians is permitted, and not in any way with the Hospital. It cannot be qualified as incidental data when physicians have been classified as collaborators or consultants.”
The AEPD thus adds that “it cannot be considered merely coincidental that the faculty details included in the database justifies its inclusion, when the very purpose of the database is to identify each of the medical professionals and for that reason it was created.” Therefore, “physicians whose data is contained in the defendant’s files should be considered as included within the scope and application of the Data Protection Act. This is because the mere fact of being a doctor and practicing medicine, in itself, does not involve the development of a business activity, especially when said medical activity takes place in a public hospital belonging to the Cantabria Public Health Service, in which the service is provided by another person.”
In summary, the AEPD considers that the purpose of the data was “to create a database with information about physicians regarding their views on bloodless medicine or the availability of such interventions. As to the allegations that the details of the medical personnel are available from publicly accessible sources, more specifically via the Hospital’s web page, it must be mentioned that they not only include the data of the medical personnel, but rather are classified in folders as a collaborator or consultant, data that is not available in the Hospital.”