The Commissioner for Information of Public Importance and Personal Data Processing has issued a Warning to the Ministry of Health, in which he drew the Ministry's attention to irregularities in the personal data processing it performs in the Integrated Health Information System (IHIS).

The Commissioner had previously ex officio initiated and conducted an inspection of compliance with and application of the Law on Personal Data Protection by the Ministry of Health of the Republic of Serbia in connection with the personal data processing that Ministry performs in the IHIS.

In the course of the inspection procedure it was found that the Ministry had established IHIS without proper legal grounds as a centralised electronic data file which it used to process the personal data of employees and patients at 451 medical institutions in Serbia, including patients' medical information. It was also found that 69,359 individuals had access to IHIS in various capacities and with various access levels.

In addition to and apart from the issue concerning legal grounds for the processing, it was also found during the inspection that there had been serious omissions in the protection of the personal data processed by the Ministry in IHIS which involved a great risk of unauthorised access to personal data and thus also of other potential forms of abuse.

The Warning gave the Ministry 15 days to report back to the Commissioner and inform him about the measures it undertook to remedy the irregularities, so the Commissioner could decide whether any further action is warranted.