The Agency for Access to Public Information (AAPI), the controlling authority of the Personal Data Protection Law (PDPL) (25,326), initiated an investigation regarding a security incident that affected the database associated with the site created for obtaining travel authorisations in the province of San Juan. The security incident exposed individuals' personal data, including sensitive data, which had been stored in the medical records of the province's public health system, known as "Andes Salud".
The San Juan Ministry of Health failed to implement the security and confidentiality measures that would have prevented the leakage of citizens' personal data.
Although the servers of the Andes Salud database were based in the province of San Juan, they were connected to the Internet. Consequently, the data processing had an extraterritorial scope that exceeded the borders of the province. Therefore, the AAPI considered that it was allowed to investigate the case by virtue of section 44 of the PDPL, which provides that federal jurisdiction will govern when dealing with databases connected to federal or international networks.
The AAPI decided to impose a warning on the San Juan Ministry of Health for committing two serious infringements:
- breaching the confidentiality duty set out in section 10 of the PDPL; and
- failing to implement the relevant security measures determined by the relevant regulations.
However, the AAPI did not apply a fine based on the following reasons:
- The province implemented protocols to resolve the data breach and mitigate its effects.
- The incident took place in the specific context of the covid-19 pandemic and the allocation of public funds must prioritise the management of the resulting economic and health crisis.
- The San Juan Ministry of Health had no record of previous violations.
For further information on this topic please contact Mariano Peruzzotti or Valentina Gonzalez Medina at Ojam Bullrich Flanzbaum by telephone +54 11 4549-4900 or email ([email protected] or [email protected]). The Ojam Bullrich Flanzbaum website can be accessed at www.ojambf.com.