The Odzaci case – one of the many - Commissioner for Information of Public Importance and Personal Data Protection

When the medical documentation of a citizen from Odzaci appeared on the Internet and in the media, the Commissioner for Information of Public Importance and Personal Data Protection, initiated and conducted the procedure of supervising the implementation of the Personal Data Protection Law in the Odzaci Health Center; the supervision procedure confirmed that the documentation containing the data on the health condition of the patient was kept in a completely unsafe manner and made available to an unlimited number of visitors to the outpatient clinic, which resulted in the appearance of the medical documentation with particularly sensitive personal citizen’s data on social networks and in the media completely unprotected, dumped, available to anyone.

Commissioner sent an appropriate warning to the Health Department in Odzaci, with an order to inform him within 15 days from the date of receipt of the warning, about the measures and activities that will be taken to prevent the abovementioned irregularities.

Commissioner will submit requests for initiation of misdemeanor proceedings against the Odzaci Health Center and the responsible persons.

Commissioner reminds that the Law on Patients' Rights explicitly stipulates that all health workers and associates must preserve the health status data, which are particularly sensitive data that must be handled in a way which will at all times ensure the exercise of the right to privacy and the right to data confidentiality, and that all healthcare institutions and other legal entities that process such data are obliged to establish and maintain an appropriate system of the data security; opposite to this, the examples of extremely irregular treatment of such data, are not seldom. The Odzaci case is only one in a long line of likely illustrations of this kind of attitude.

Commissioner reminds that similar events of dealing with different citizen personal data, especially the sensitive ones, and not only in healthcare, have been frequent, estimating that they will be even more frequent, since it is an inevitable consequence of the fact that state actions in this area have been mainly reduced to those taken by the Commissioner. Although such actions have been increasing (the number of cases in the area of personal data protection increased from 83 in 2009 to around 2,500 in 2016), they cannot replace what the relevant ministries, the Government and the Assembly should do.

Through his actions, the Commissioner will continue to protect citizen rights. However, in concrete circumstances, this is objectively just a "flame retardant" because, since long Serbia has been missing what is necessary - a planned strategic approach at the state level and a systematic elimination of the source of the problem followed by the establishment of a new, modern personal data protection system.