The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen’s personal data, by not adequately securing and protecting a patient’s confidential record.

The case could prove significant by creating a legal precedent, based on the European Convention on Human Rights, linking data security and human rights.

The Court made its ruling based on Article 8 of the Convention, which guarantees every citizen “the right to respect for his private and family life, his home and his correspondence.” It said it was uncontested that the confidentiality of medical records is a vital component of a private life.

It also said Finland had failed to protect the confidentiality of patient information and ordered the state to pay a nurse about €14,000 in damages and €20,000 in costs.

The nurse involved in the case worked in a public hospital between 1989 and 1994 on a series of fixed term contracts. During the period, she paid regular visits to the same hospital’s infectious diseases clinic, having been diagnosed with HIV.

In 1992, it transpired that her colleagues at the hospital’s ophthalmic department had had access to her patient records. Three years later, her contract was not renewed.

The woman began to suspect that news of her disease had spread to other employees and asked for details of who had accessed her medical records and when. The health authorities only kept a note of the last five people to have accessed a record.

According to legal electronic newsletter Out-Law, the Court ruled that public bodies and governments will fall foul of the Convention if they fail to keep data private that should be kept private.

The woman in the case did not have to show a wilful publishing or release of data, it said. A failure to keep it secure was enough to breach the Convention.

The Strasbourg court found unanimously that the district health authority, by failing to establish a system from which the nurse’s confidential patient information could not be accessed by staff who did not treat her, had violated Article 8.

The woman, known in the case as I, sued the district health authority for failing to keep her medical records confidential.

According to Out-Law, the woman lost the initial case when the court found that there was no firm evidence that her record had been accessed unlawfully. She also lost her appeal, and was refused permission to take her case to Finland’s Supreme Court.

The European Court of Human Rights, however, found that there were privacy laws in place in Finland when the incidents occurred that required medical data to be properly protected. Had these been strictly followed, it found, I’s records would have had enough protection.

Crucially, the Court said that it was unfair for Finnish law to place the burden of evidence on the woman to show that her records had been inappropriately accessed.

In addition the Court said that the existence of the right to sue if information is disclosed is not the same as protecting privacy in the first place. "What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here," it ruled.

Data protection law expert Dr Chris Pounder of Pinsent Masons, the law firm behind Out-Law, said that the case establishes a vital link between the protection of personal information and a person’s entitlement to privacy under human rights law. The European Convention on Human Rights is made into UK law by the Human Rights Act.

"The judgment is important because it links security of personal data to the human rights framework," said Pounder. "Organisations have to be proactive in their security practices and procedures. It is not sufficient to say that ‘we will do something’ security-wise – it will be important to show that that something has been done."

Related article

European judgement casts doubts on NHS CRS consent