The applicant in the case of I v Finland was a nurse working in a specialist eye clinic within a hospital. At the same time she was receiving ongoing treatment within a clinic at the same hospital, having been diagnosed as HIV positive. At that time hospital staff had free access to the patient register containing information on patients’ diagnoses.

The applicant suspected that her colleagues were aware of her illness and after a complaint by her the hospital register was amended so that only the clinic’s personnel had access to its patients’ records. The applicant tried to establish who had accessed her confidential patient records. The hospital gave evidence to the effect that the data system did not enable this information to be obtained and she subsequently applied to the ECHR for a ruling. She alleged that the hospital’s failure to guarantee the security of her data against unauthorised access had violated her right to private life.

The ECHR held that the protection of personal data, in particular medical data, was of fundamental importance to a person’s right to respect for private life. In order to be consistent with the guarantee of the right to private life, domestic law had to afford appropriate safeguards to prevent unnecessary communication or disclosure of personal health data. Respecting the confidentiality of health data was a vital principle in the legal systems of all member states and it was crucial to preserve patients’ confidence in the medical profession and health services.

The ECHR stressed the need for practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. They also stated that she would have been less disadvantaged if the hospital had restricted access to those directly involved with her care or kept a log of those who had accessed her medical file. The court's judgment included an order for compensation and this highlights the need for strong access controls and audit trails to be delivered by the NHS.