The Court made its ruling based on Article 8 of the European Convention on Human Rights, which guarantees every citizen the right to a private life. It said that it was uncontested that the confidentiality of medical records is a vital component of a private life.
The Court ruled that public bodies and governments will fall foul of that Convention if they fail to keep data private that should be kept private.
The woman in the case did not have to show a wilful publishing or release of data, it said. A failure to keep it secure was enough to breach the Convention.
A Finnish woman worked in an eye clinic where she also received treatment, having been diagnosed as having AIDS.
The woman began to suspect that news of her disease had spread to other employees and asked to be shown who had accessed her medical records and when. The health authorities only kept a note of the last five people to have accessed a record.
The woman, known in the case as I, sued the District Health Authority for failing to keep her medical records confidential.
She lost that case because the court found that there was no firm evidence that her record had been accessed unlawfully. She also lost her appeal, and was refused permission to take her case to Finland's Supreme Court.
The Court of Human Rights found that there were privacy laws in place in Finland when the incidents occurred that required medical data to be properly protected. Had these been strictly followed, it found, I's records would have had enough protection.
The Court recognised that the Finnish courts did not find in I's favour because she could not prove that her record had been misused, but said that "to place such a burden of proof on the applicant is to overlook the acknowledged deficiencies in the hospital’s record keeping at the material time."
"It is plain that had the hospital provided a greater control over access to health records … the applicant would have been placed in a less disadvantaged position before the domestic courts," the Court said. "For [this] Court, what is decisive is that the records system in place in the hospital was clearly not in accordance with the legal requirements."
The Court said that the existence of the right to sue if information is disclosed is not the same as protecting privacy in the first place. "What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place. Such protection was not given here," it ruled. "The Court cannot but conclude that at the relevant time the State failed in its positive obligation under Article 8 (1) of the Convention to ensure respect for the applicant’s private life."
Data protection law expert Dr Chris Pounder of Pinsent Masons, the law firm behind OUT-LAW, said that the case establishes a vital link between the protection of personal information and a person's entitlement to privacy under human rights law. The European Convention on Human Rights is made into UK law by the Human Rights Act.
"The judgment is important because it links security of personal data to the human rights framework," said Pounder. "Organisations have to be proactive in their security practices and procedures. It is not sufficient to say that 'we will do something' security-wise – it will be important to show that that something has been done."
The Court awarded I €13,771 in damages and €20,000 in costs.