Region Örebro län transferred personal data of healthcare staff to support services in Sri Lanka when implementing the Cosmic medical record system, despite lacking completed data protection agreements. The incident occurred as the region was among the first to adopt the Cosmic system, which is now used by nine Swedish regions.
According to SVT Örebro's investigation, the data transfer happened before all necessary agreements were finalized, potentially violating GDPR regulations. Sri Lanka is not approved by the EU for handling sensitive personal data transfers.
delaying the system rollout would have involved manual routines and double documentation, which also posed risks
Martin Gunnarsson, acting health and medical care director for the region, defended the decision, stating that postponing the system implementation would have involved greater risks from manual routines and duplicate documentation. He emphasized that only names and contact information of healthcare staff were sent to Sri Lanka, not patient medical records.
Experts warn that implementing the system without completed agreements means there was no legal basis for transferring personal data outside the EU. The region has since updated the agreement, but questions remain about why the system was put into use before all data protection measures were in place.
only staff names and contact details were sent, not patient records
other agreements govern patient data, which were never sent to a third country
work on the agreement started early but was delayed due to many parties involved