The national database on waiting time is managed by Swedish municipalities and regions (SKR) and is used to produce statistics on waiting times in care. The information is based on information collected from patient records in the regions which is then passed on to SKR.

But according to the GDPR, the authority or organization that processes personal data must have a legal basis for the processing, as the Privacy Protection Authority (Imy) writes in press release.

It is generally prohibited to process sensitive personal data, such as health data. Allowing this type of data to be processed requires a legal basis and a special exception in the Data Protection Regulation.

Against this background, Imy is now beginning to review SKR’s waiting time database. Imy wants to know the legal basis and exception to the union regarding sensitive personal data on which processing is based in the hold time database.

The organization that processes personal data is responsible for ensuring that there is legal support for the processing. We now want to investigate opportunities that a private organization, and not a caregiver, should process personal data in the way it does in a waiting time database. Therefore, we have begun to review SKR’s processing of personal data in the waiting time database, says Stena Almstrom, an attorney at Imy, in the press release.