Skip to content

Wrongful to publish sensitive personal data on Region Örebro County’s website

Published: 12 May 2020
Swedish Authority for Privacy Protection’s investigation shows that the Healthcare Committee in Region Örebro County made a mistake when publishing on the region’s website sensitive personal data about a patient admitted to a forensic psychiatric clinic.

Swedish Authority for Privacy Protection received a complaint against the Healthcare Committee in Region Örebro County, in which claims that sensitive personal data about a patient admitted to forensic psychiatry clinic had been published on the region’s website was put forward.

– Our investigation into the matter shows that sensitive personal data has wrongfully been published and thereby made accessible to the public on the region’s website", says Elin Hallström, Legal Advisor at Swedish Authority for Privacy Protection.

Swedish Authority for Privacy Protection’s audit shows that there are no written instructions relating to the publication of documents and personal data on the website in place. Instructions for publishing information are instead communicated orally. In this case, the instructions had not been followed which led to the accidental publication of the document, suggesting that the Committee had not taken sufficient organizational measures to ensure that personal data is protected from being wrongfully published on the region’s website.

– For this reason, we are now ordering the Committee to establish written instructions and introduce measures that ensure that those who publishes personal data on the region’s website does so in accordance with set instructions.

In its decision, Swedish Authority for Privacy Protection also concludes that in terms of publication the Committee had neither a legitimate purpose, nor a legal basis, nor fulfilled the requirements for an exemption from the general prohibition against handling sensitive personal data in the General Data Protection Regulation.

Swedish Authority for Privacy Protection orders the Committee to bring its personal data handling into compliance and furthermore issues an administrative fine of 120 000 Swedish kronor (approx. 11 000 euro) against the Committee.

The published document in question has been removed from the region’s website.

Read Swedish Authority for Privacy Protection’s decision in pdf format (in Swedish) (pdf, 145 kB)


For further information, please contact

Legal Advisor Elin Hallström, phone +46-8-657 61 13
Swedish Authority for Privacy Protection’s press office, phone +46-8-515 15 415

Latest update: 05 May 2021
Page labels Data protection
Latest update: 05 May 2021
Page labels Data protection