The Ministry of Health of the Province of San Juan was sanctioned for data protection violations.
By Mariano Peruzzotti and Valentina González Medina.
The Agency for Access to Public Information (hereinafter, “AAPI”), controlling authority of Personal Data Protection Law No. 25,326 (“PDPL”), initiated an investigation on security incident affecting the database associated to the site created for obtaining the travel authorizations within the Province of San Juan. This security incident exposed individual’s personal data, including sensitive data, stored in the medical records of the Province’s public health system named “Andes Salud”.
The Ministry of Health of the Province of San Juan did not implement the security and confidentiality measures that would have prevented the leakage of citizen’ personal data.
Even though the servers of the Andes Salud database were based in the Province of San Juan, they were connected to the Internet and, consequently, the data processing had an extraterritorial scope that exceeds the borders of the Province. Therefore, the AAPI considered that it was allowed to investigate the case by virtue of section 44 of the PDPL, which provides that federal jurisdiction will govern when dealing with databases connected to federal or international networks.
The AAPI decided to impose a warning to the Ministry of Health of the Province of San Juan for committing two serious infringements:
- Breach of the confidentiality duty set forth in section 10 of the PDPL.
- Not implementing the relevant security measures determined by the proper regulations.
The AAPI did not apply a fine based on the following reasons:
- The Province implemented protocols to solve the data breach and mitigate its effects;
- the specific context of the pandemic that needs to prioritize the allocation of public funds to the management of the economic and health crisis;
- and the absence of a record of previous violations.
For further information contact: mperuzzotti@ojambf.com.
