Scenario 1:
MED is a healthcare provider located in Norway. It provides high-quality and affordable healthcare services, including disease prevention, diagnosis, and treatment. Founded in 1995, MED is one of the largest health organizations in the private sector. The company has constantly evolved in response to patients' needs.
Patients that schedule an appointment in MED's medical centers initially need to provide their personal information, including name, surname, address, phone number, and date of birth. Further checkups or admission require additional information, including previous medical history and genetic dat
- When providing their personal data, patients are informed that the data is used for personalizing treatments and improving communication with MED's doctors. Medical data of patients, including children, are stored in the database of MED's health information system. MED allows patients who are at least 16 years old to use the system and provide their personal information independently. For children below the age of 16, MED requires consent from the holder of parental responsibility before processing their data.
MED uses a cloud-based application that allows patients and doctors to upload and access information. Patients can save all personal medical data, including test results, doctor visits, diagnosis history, and medicine prescriptions, as well as review and track them at any time. Doctors, on the other hand, can access their patients' data through the application and can add information as needed.
Patients who decide to continue their treatment at another health institution can request MED to transfer their data. However, even if patients decide to continue their treatment elsewhere, their personal data is still used by MED. Patients' requests to stop data processing are rejected. This decision was made by MED's top management to retain the information of everyone registered in their databases.
The company also shares medical data with InsHealth, a health insurance company. MED's data helps InsHealth create health insurance plans that meet the needs of individuals and families.
MED believes that it is its responsibility to ensure the security and accuracy of patients' personal data. Based on the identified risks associated with data processing activities, MED has implemented appropriate security measures to ensure that data is securely stored and processed.
Since personal data of patients is stored and transmitted over the internet, MED uses encryption to avoid unauthorized processing, accidental loss, or destruction of data. The company has established a security policy to define the levels of protection required for each type of information and processing activity. MED has communicated the policy and other procedures to personnel and provided customized training to ensure proper handling of data processing.
Questio n:
If a patient requests MED to permanently erase their data, MED should:
- Reject the request since the medical history of patients cannot be permanently erased.
- Erase the personal data if it is no longer needed for its original purpose.
- Erase the personal data only if required to comply with a legal obligation.
- Refuse the request because medical data must be retained indefinitely for future reference.
Answer(s): B
Explanation:
Under Article 17 of the General Data Protection Regulation (GDPR), also known as the "Right to be Forgotten," data subjects have the right to request the erasure of their personal data when:
The data is no longer necessary for the purpose for which it was collected.
The data subject withdraws consent (where processing was based on consent).
The data was processed unlawfully.
In this scenario, if the data is no longer necessary for the original purpose (e.g., if the patient has completed their treatment and there are no legal retention obligations), MED should erase the data. However, there are exceptions under GDPR, such as legal retention requirements for medical records under national healthcare regulations.
Rejecting the request outright (Option A) is incorrect because GDPR requires controllers to assess whether retention is still necessary. Similarly, Option C is too restrictive because GDPR allows deletion even if no legal obligation mandates it. Option D is incorrect because indefinite retention is not permitted unless a valid justification exists.
Reference:
GDPR Article 17 (Right to Erasure)
Recital 65 (Clarification on when personal data can be erased)
Article 5(1)(e) (Storage limitation principle)
Reveal Solution
Next Question