Administrative fine imposed on the Finnish Motor Insurers’ Centre for the collection of unnecessary patient information
The Office of the Data Protection Ombudsman has investigated the Finnish Motor Insurers’ Centre’s practices in requesting patient records from health care providers for claims handling purposes. The Finnish Motor Insurers’ Centre has systematically requested the full patient records of claimants instead limiting their requests to the information necessary for claims handling. This practice has violated the GDPR.
The Finnish Motor Insurers’ Centre has taken the view that it has the right to collect extensive patient information and request unredacted patient records from health care providers in order to settle claims. The Finnish Motor Insurers’ Centre has also collected information on the patients’ health care appointments to determine whether the health care provider has charged for visits not related to the examination or treatment of injuries sustained in the traffic accident. Information has also been requested in case the health care provider would have omitted information essential for claims handling.
The Data Protection Ombudsman finds that the actions of the Finnish Motor Insurers’ Centre have violated the principle of data minimisation provided for in the GDPR. The Data Protection Ombudsman notes that the Traffic Insurance Act does not give direct access to all patient records. Rather, the information requested must be necessary for the settlement of the claim. As a rule, an insurance company cannot request all information concerning a customer's health care appointments, but this information must be limited and specified on a case-by-case basis.
Sorting the information to be disclosed is the responsibility of the controller, i.e. the health care provider. The insurance company is nevertheless required to review all of the information received and erase any unnecessary personal data.
The actions of the Finnish Motor Insurers’ Centre have not complied with the principle of fairness relating to the processing of personal data either. A claimant can justifiably expect the insurance company to only process information necessary for settling the claim.
The Data Protection Ombudsman also finds that information on an individual's state of health should primarily be disclosed to insurance companies in the form of a statement, as recommended by the Finnish Medical Association.
The violation of data protection provisions was systematic and protracted
The Sanctions Board of the Office of the Data Protection Ombudsman imposed an administrative fine of 52,000 euros on the Finnish Motor Insurers’ Centre. The Data Protection Ombudsman reprimanded the Finnish Motor Insurers’ Centre for data protection violations and ordered it to bring its practices for requesting patient information into compliance with data protection regulations.
According to the Sanctions Board, the conduct of the Finnish Motor Insurers’ Centre revealed that it is not sufficiently familiar with the requirements of data protection legislation. Among other things, the fact that the processing involved sensitive health information was taken into account in the justifications for the administrative fine.
The decision is not final as the Finnish Motor Insurers’ Centre has appealed it in the administrative court.
Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.