Police can secretly obtain people's health data with a simple request
Officials can obtain people's sensitive health data from the Health and Welfare Information Systems Center (TEHIK) with a simple request. The legality of these requests is effectively not reviewed, even afterwards, and the individual concerned is not notified, writes Postimees.
While requests for health data must in principle be connected to a proceeding and there must be a need for the data, TEHIK acknowledged in response to an information request from attorney-at-law Carri Ginter that it releases data almost automatically and does not verify whether proceedings have actually been initiated or whether that specific person's health data is truly necessary.
An authority conducting criminal proceedings (for example, the Police and Border Guard Board (PPA) and others) can submit a query about a person's health data, receive a response without the person's consent, the request does not appear in the data log, and the person is not informed in any other way, according to TEHIK's reply to Ginter.
"All it takes is to note 'related to proceedings' and provide any number. The only risk is internal police oversight," Ginter said.
In 2022, the Supreme Court ruled that any disclosure of patient confidentiality without the patient's consent or a clear legal basis is unlawful, although that ruling referred to doctors and healthcare institutions.
Justice Minister Liisa Pakosta told Postimees that the government has initiated a legal amendment that will reach Parliament in the fall: "It cannot be the case that an investigative authority barges in and digs out doctors' professional secrets."
The police and the prosecutor's office told the newspaper that they do not use the option of requesting health data without a person's consent. However, in 2025, the Internal Control Bureau identified one violation related to the processing of health data.
--
Editor: Argo Ideon
Source: Postimees
