The Swedish Authority for Privacy Protection (IMY) has initiated a review of the national waiting time database used by the Swedish Association of Local Authorities and Regions (SKR) to compile statistics on waiting times in healthcare

The Swedish Authority for Privacy Protection (IMY) has initiated a review of the national waiting time database used by the Swedish Association of Local Authorities and Regions (SKR) to compile statistics on waiting times in healthcare. IMY will review the processing of personal data that takes place in the national waiting time database managed by SKR. The information in the database consists of data collected from patient registers in the territorial regions (the so-called län) and then transferred to SKR. Stina Almström, IMY’s lawyer, pointed out that ‘[a]n institution that processes personal data has an obligation to ensure that there is a legal basis for processing it. We now want to investigate what possibilities a private organisation, which is not a health care provider, has to process personal data in the way that the waiting time database does’. IMY asked SKR a number of questions about the legal basis and the exemption from the prohibition on processing sensitive personal data on which the processing in the patient waiting time database is based.