The law now does not provide opportunities to address the dissemination of illegally obtained social and health information in a narrow circle.
Government has launched legislation to improve the situation of patients who have been victims of hacking. We want to protect patients from identity theft. Separately, an amendment to the law is proposed to ensure better security of information systems in the future.
On the other hand, the criminalization of the dissemination of patient data already leaked to the Internet has not been clarified. There is no provision in the current law that is directly applicable to an act, even if the act is morally wrong and profoundly violates privacy.
Law oblige the health care unit to process patient data securely, and health care professionals have enhanced confidentiality at the risk of punishment. The same obligations apply to social care customer data.
Hacking is a crime. In addition, anyone who distributes leaked documents may be punished for infringing on privacy. However, this provision cannot interfere if someone disseminates information to one or two others.
Data protection law addresses infringements of the controller and the processor with the most serious administrative fines. The EU Data Protection Regulation and national data protection law have shifted the focus to administrative sanctions.
The Penal Code still has its own provision on data protection offenses, but it may not apply to cases where data that has already been leaked on the Internet is read: data protection law does not apply to the processing of personal data exclusively in the course of personal activities. It is still punishable if an employee, with his technical access rights, spies on confidential information at his workplace for his private purposes.
While it is not currently a criminal offense to interfere with Sote data leaked on the Internet, the field of criminal liability does not deviate from the general guidelines of the legislation on professional secrecy. As a general rule, only a breach of professional secrecy based on his or her status or function is punishable. In addition, unauthorized access to information can be punishable as hacking. Criminal liability has not been extended to a later stage.
On the other hand there are also exceptions to the legislation. The provisions on criminal fraud also provide for the commission of a subsequent actor, and the same applies to the use of inside information. Trade secrets also have comprehensive protection: if someone acquires or discloses a trade secret illegally, the criminal liability also applies to the subsequent operator. Illegally obtained or leaked information becomes contaminated.
These criminal provisions, which protect confidentiality on a large scale, are justified on grounds of national security, the soundness of financial markets and fair competition. Enhanced protection would also be needed for the most sensitive personal data, especially social and health data.
To the data making the reprehensible acts against them punishable requires strict limits. For social and health data, the requirement could be met by linking the criminal liability of the downstream operator to the records.
Violation of a SOTO document distributed on the Internet could be penalized not only for disclosure and use, but only as prohibited access to information. Assessing the intent of the act would not be difficult. The Supreme Court has ruled that, in the case of business secrets, intent is fulfilled when a person can, in the circumstances, consider it quite probable that the origin of the information is illegal.
Improving criminal liability for confidential sote data could also curb the spying on patient data already circulated on the Internet. A ban on retroactive legislation would not be an obstacle. The penalty provision would apply to acts after the entry into force of the law, even if the information leak itself had already taken place earlier.
Kimmo Nuotio and Klaus Nyblin
Nuotio is a professor of criminal law at the University of Helsinki. Nyblin is a lawyer specializing in healthcare and data protection law.
The guest pens are the speeches of experts selected by the HS editorial board for publication. The opinions expressed in guest pens are the authors’ own views, not HS’s statements. Writing instructions: www.hs.fi/vieraskyna/.