Parliamentary candidate fined €15,000 for personal data breach
It was not only former ND MEP Anna Michelle Asimakopoulou, who in the run-up to last June’s European elections sent mass e-mails from her office to Greek expatriates after they had previously been leaked from the Ministry of Interior’s expatriate archive. The same tactic was followed in the parliamentary elections of May 2023 by the doctor, plastic surgeon of the NHS, and candidate for the PASOK parliament in East Attica, Myron Tsagarakis (he was not elected in the end), who used the personal data of patients and inpatients from the archive of the “Andreas Syngros” hospital.
Already, last week the Personal Data Protection Authority imposed a 15,000 euro fine on the doctor in question for personal data breach, after two complaints from citizens who had been hospitalized at “Andreas Syngros” and had received pre-election text messages from the candidate.
The PASOK parliamentary candidate was sending text messages to the mobile phones of former and current patients and inpatients at the hospital in order to get them to vote for him. In the SMS he wrote: “You who were operated on in the NHS voted for PASOK and Myron Tsagarakis candidate in East Attica, Central speech 14/5 Rafina Town Hall 18:30” and then he wrote his address on Facebook.
One of the recipients of the text messages who had undergone minor medical surgery at the hospital six years ago, but without ever having been examined by Mr Tsagarakis, without of course knowing it or having contacted him for any reason, reported the incident to the hospital administration on May 5, 2023.
In his letter, he pointed out that the candidate MP had carried out illegal processing of his data and even sensitive medical data. At the same time, he asked for information on exactly which data came into the doctor’s possession, who has access to the personal data of the hospital’s patients, and how the integrity of the patient’s data is ensured.
The hospital’s data protection officer responded to the complainant but did not address the questions he had raised. The response stated that “as part of his medical duties at the hospital and solely to provide medical services on behalf of the hospital, Mr. Tsagarakis had lawful access to the hospital’s patient data”. Therefore, “providing hospital physicians with access to hospital patient databases to perform their medical duties does not for any reason involve a breach of privacy.”
Furthermore, the hospital official said that the doctor in question was questioned about the incident and denied that he “carried out any processing of patient data to send promotional policy, claiming that the mobile phone numbers of the patients to whom he sent relevant political communications as part of his election campaign came either from his records or from patients he had personally treated.”
Nevertheless, a Sworn Administrative Inquiry (SIA) was conducted.
Time was running out, but there was no update on the “so-and-so” of the EID, and so last July, the complainant requested a copy of the EID.
The hospital, in the first ten days of last August, replied that it could not receive a copy of the EIR as “the required consent was not granted by Mr Tsagarakis.”
However, the hospital said that “Mr. Tsagarakis, since he belongs to the surgical department of the hospital, has legal access to the data of all the patients of that department, regardless of whether he has operated on a patient, as is the case with all medical staff” and stressed that “the personal data to which the doctor gained access is demographic data.”
Elsewhere in the response letter, it is stated that the surgical department and operating room physicians have access to all of the patient’s data, while the outpatient registry has access to demographic data for the purpose of servicing scheduled appointments.
Following this, the complainant, through his attorney, Panagiotis Perakis, appealed to the Personal Data Protection Authority, noting that “it is a monument of audacity, irresponsibility, and violation of basic obligations of the data protection legislation, which concern fundamental rights, which have been disregarded and provocatively violated in what is perhaps the most sensitive area, that of health, by a public official and a public hospital”.
Furthermore, it is noted that how the personal data of inpatients is kept and processed is inadequate and not by the law, without appropriate measures being taken to protect the sensitive personal and health data of patients.
Raised by PASOK
It is not omitted to mention that the doctor in question, “without a sense of duty that requires compliance with the law, not caring that his actions exposed not only the public hospital in which he serves but also the party body he represents, carried out acts of processing (collection and use) of my data”. In fact, he “used the personal data for political communication, i.e. for reasons exclusively related to his political interest.”
Furthermore, it is said that the doctor “abused his status and position, taking advantage of the hospital’s multiple inadequacies in terms of protecting the personal data it holds.”
The post Parliamentary candidate fined €15,000 for personal data breach appeared first on ProtoThema English.
- Log in to post comments