The Commissioner for Information of Public Importance and Personal Data Protection has ended an inspection of compliance with the Law on Personal Data Protection by the city municipality of Obrenovac. The inspection was prompted by a statement made by the president of the municipality in an interview with the "Insajder" website, namely that a foreign company, as a prospective investor, had had access to 55,000 medical records of citizens and was allowed to analyse the data contained in those records, which are identified as particularly sensitive under the law.
The explicit words "they then analysed all 55,000 medical records" understandably caused public concern and outcry. However, during the inspection it was found that this was simply a case of poor wording and irresponsible speech, while in reality there had been no violation of the citizens' right to personal data protection.
In a reply issued pursuant to a request from the Commissioner, Mr. Miroslav Cuckovic, president of the municipality, stated among other things he had "spoken over-eagerly" and he was "very his words were misinterpreted", noting "under threat of perjury or fraud that no processing of personal data of any citizen of Obrenovac occurred in this specific case."
In this regard, the Commissioner's authorised officers conducted an inspection at the Medical Centre in Obrenovac. The inspection involved checks of all relevant facts concerning the possibility of accessing medical records, both in hard copy and electronically.
Medical records are made available exclusively at the request of the patient or his/her agent, who must present a power of attorney duly certified by a court. A written request must be filed in each individual case and records are kept of all requests. The requests are kept in patients' medical records. No medical records have been photocopied in the past three months, either at the patients' request or at the request of a third party.
Access to the electronic database and electronic medical records is allowed only to the attending physicians and nurses, who must log in using a unique username and password, while every access is recorded in log files.
The Medical Centre had contacts with the company Mei Ta on two occasion. It provided the company, at its request, with information about the capacities of the emergency medical service, including the number and makes of its vehicles, its working hours and its distance from the factory; however, no personal data were made available.
Furthermore, the Medical Centre has to date received requests for general health certificates from 18 citizens who listed the company Mei Ta as their employer. These requests were handled in accordance with the law.
In connection with this whole affair, the Commissioner notes it would be good and beneficial if the president of the City Municipality of Obrenovac issued a public apology to the citizens and health professionals of Obrenovac for his statement which caused the uproar.
