The Danish Data Protection Agency (Datatilsynet) has launched an investigation into the Capital Region of Denmark regarding its handling of personal data in a research project. The probe was initiated following media reports that a researcher gained access to millions of citizens’ hospital records.

The Data Protection Agency has requested the region to provide an account of the data protection law assessments conducted prior to processing personal data for the project. The agency emphasizes that citizens’ rights and human rights cannot be ignored, except when legally prescribed and with due process.

According to reports, a researcher from the Capital Region’s psychiatry department was granted permission to utilize data from 3.65 million individuals’ hospital records without their consent. The researcher intends to employ artificial intelligence to enhance psychiatric treatment, utilizing pseudonymized data to prevent immediate tracing back to individuals.

The Data Protection Agency states that should illegal processing of personal data be confirmed, the processing must cease, and all related data and results must be deleted.

Hanne Marie Motzfeldt, a professor at the University of Copenhagen, has expressed concern about the use of this data, advocating for broader public awareness and discussion regarding the utilization of health data in Denmark.

The Data Protection Agency acknowledges the pressure on municipalities, regions, institutions, and the private sector to adopt new technological solutions, but emphasizes the importance of adhering to data protection regulations.

The agency highlights the necessity of conducting a “data protection law impact assessment” when processing poses a high risk to citizens’ rights. If such an assessment was not performed before processing began, the agency will inquire about the measures being taken regarding the existing and ongoing processing.

Reports indicate that the researcher has already received journal information from 350,000 psychiatric patients.