State institute found to be illegally collecting personal medical data

The Office for Personal Data Protection says it has never encountered such a large-scale database of illegally collected personal data: information from 200,000 drug prescriptions a day for the last six months showing who uses what kind of medicine. And the body collecting it? The State Institute for Drug Control.

What the law calls for is central storage of electronic prescriptions, the idea being to ensure that inappropriate combinations of medicines were not being prescribed and that narcotics producers were not amassing ingredients for their trade. Doctors have not even started using electronic prescriptions though, and the database began filling up anyway. The Office for Personal Data Protection was asked to investigate whether the database was being put to a completely different use. It was, as the office’s Hana Štěpánková explains:

“What was actually happening in that central database was that personal information was being taken from written prescriptions, not from electronic prescriptions at all; it was being collected in pharmacies and processed by the State Institute for Drug Control beyond the scope of what it was authorised to do by law; the Institute was actually demanding that pharmacies send this information.”

The database of tens of millions of prescriptions filled across the country by more than 1,500 pharmacies was even accessible on the internet with a code. It was promptly erased when the personal information office revealed the full extent of the problem, and the State Institute for Drug Control has said the information was not compromised. But as Ms. Štěpánková points out, the ramifications of potential misuse were huge.

“The extent to which this sensitive information could have been misused makes it a major problem. This information that was collected attests to the medical conditions of all of the individuals who picked up medicines from a pharmacy. That kind of material could be used for blackmail, but of course it also serves marketing purposes extremely well.”

Hana Štěpánková, photo: CTKHana Štěpánková, photo: CTK Cases of careless handling or mismanagement of personal information are not new to the headlines. Just recently it was discovered that the Office of the Government was responsible for a case in which a Finnish tourist on a hotel computer accessed the personal data of delegates to the Czech/US summit, including their blood types, allergies, passport numbers and itineraries. Is the latest incident a sign of endemic misuse of personal data in the Czech Republic?

“I don’t know to what extent the problem is greater here than elsewhere, I can say that people turn to the Office for Personal Data Protection more and more often both with evidence of violations and with excessive suspicion of such violations. That only shows that people are cautious, and that’s fine. But there are certain areas where the office finds very widespread problems. Personal data on paper gets thrown away rather than being shredded, computers get sold without being properly formatted. The office sees a big problem with the use of cameras in schools, and with young people becoming used to the idea that it is normal to live under constant surveillance.”

Meanwhile, blame for this latest breach of personal data is being passed among all involved. It was the pharmacies themselves that protested the collection and asked for the investigation. The State Institute for Drug Control believes it was gathering its data legally, in the same way insurance companies do, and another association of pharmacy owners involved in the situation claims that its was the data protection office itself that approved the practice in the first place.