In December 2015, a journalist disclosed one patient’s health data in a TV show. The data were related to the patient’s mental health and his treatment in the mental health clinic “Dr Laza Lazarevic”, in Belgrade. The Serbian Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner”) promptly established that the clinic disclosed the data to the Ministry of Health which, in turn, made the data available to the Ministry of Interior. On 23 December 2015, the Commissioner issued a warning to the clinic and the Ministry of Health because of the blatant violation of the patient’s right to privacy and protection of personal data. The Commissioner did not establish who disclosed the data to the journalist.

The Commissioner filed requests for initiation of the misdemeanor proceeding against the Minister of Health, the clinic and the director of the clinic. Also, the Commissioner filed a criminal complaint against an unknown person acting in the capacity of an official in the clinic or in the Ministry of Health or inthe Ministry of Interior, due to suspicion that he/she committed the crime of unauthorized collection of personal data. The Ministry of Interior is included because it initially requested from the Ministry of Health to obtain the data.

The Serbian Personal Data Protection Act considers personal data relating to health condition as particularly sensitive (the statutory expression). For processing of particularly sensitive data to be lawful, obtaining data subject’s informed consent (in writing) is always required. Exceptionally, data relating to political party affiliation, health condition and receipt of social assistance may be processed without the consent of the data subject, if a law provides for such processing.

The Commissioner found that the clinic disclosed the document containing health-related data to the Ministry of Health without the data subject’s consent and without a statutory basis allowing for an exception to the consent requirement.

The director of the clinic argued that the disclosure was in compliance with the relevant provisions of the Health Protection Act, the Patients’ Rights Act, and the Persons with Mental Disabilities Protection Act. Each of these laws stipulates in its final provisions that the Ministry of Health is the authority which supervises enforcement of the law. These provisions constitute, in the director’s opinion, the statutory basis for the disclosure to the Ministry.

The Commissioner refused to take this argument seriously. For the disclosure to have possibly been lawful, the Ministry should have specified that it requested the data for the purpose of supervision. However, the request submitted by the Ministry did not set forth any specific purpose – supervision, or else – for which the data were sought.

Furthermore, the Health Protection Act stipulates that, when the Ministry acts as a supervisory authority, the medical institution may disclose personal data only to a health inspector (i.e. not to other official from the Ministry) and the inspector must keep these data as an official secret. In the case at hand, the clinic “Dr Laza Lazarevic” made available the personal data to the Ministry as such, and not to a health inspector.

The Commissioner also found that the clinic acted contrary to its obligation stipulated under the DP Act to take adequate technical, personnel and organizational measures to protect the data from unauthorized disclosureor any other type of misuse. When the Ministry of Health requested the data from the clinic, it did so by an email containing no name, surname or title of the sender. The clinic, in response, emailed the document with the health-related data from an unsecured email account. The email address was located on a server not under control of the clinic. The Commissioner established that the clinic could not know who could access the emails sent from that account. Moreover, the pdf document attached to the email contained no access password or encryption.

The Ministry of Health also tried to ground lawfulness of the data disclosure in certain provisions of the Police Act and State Administration Act, which provide for cooperation among state authorities and the exchange of data. However, the Commissioner concluded that the relevant provisions in the Police Act and State Administration Act do not provide independent bases for data processing, but merely refer to the application of the DP Act.

The Commissioner’s scathing refusal to accept the arguments by the Ministry of Health and the director of the clinic seems to be rock solid. At the same time, on some issues which are not crucial for the determination of the responsibility of the agencies involved, one wishes that the Commissioner provided greater conceptual clarity.

The Commissioner refers to the clinic and the Ministry of Health as the “data controllers”, without clarifying whether both are controllers with regard to same processing (i.e. whether they are co-controllers) or each is a controller in relation to a different processing. There is no doubt that when it comes to regular processing of patients’ health data the clinic is the data controller.

But with regard to which processing – if any – did the Ministry of Health act as a data controller? Clearly not with regard to the processing for the purpose of medical treatment. Only in relation to a secondary processing – the collection of data at the request of the Ministry of Interior – could the Ministry of Health arguably be a data controller. But such a finding would be debatable, because there is room for an argument that the Ministry of Health acted merely as a data processor for the Ministry of Interior as the data controller. The Ministry of Health requested from the clinic to furnish the health-related data because the Ministry received a request from the Ministry of Interior for such data.

The purpose for which the Ministry of Interior wanted to obtain and use the patient’s data is not explicitly spelled out in the Commissioner’s warning. To those who follow political developments in Serbia it would seem that the purpose was to use the data about the mental health in order to discredit the person (the data subject) who had recently become embroiled in a public controversy involving critics and supporters of the Serbian government (the patient apparently belongs to the former group). In any event, neither the clinic nor the Ministry of Health determined the purpose or means of that particular processing. The Ministry of Health acted upon the Ministry of Interior’s request, while the clinic acted upon the request from the Ministry of Health. It is not even certain that the Ministry of Health was familiar with the purpose for which the Ministry of Interior requested the data. All this leads to the conclusion that the only data controller with regard to the secondary processing was the Ministry of Interior. The Ministry of Health acted as the data processor and the clinic as a sub-processor.