Police can secretly access Estonians' health records with a simple query

Estonian officials can obtain sensitive personal health data from the Health and Welfare Information Systems Centre (TEHIK) through a simple request, with no meaningful oversight and without the individuals concerned being informed. The practice raises serious questions about privacy and data protection in Estonia.

Estonian law enforcement and other officials are able to access citizens' sensitive health records from the Health and Welfare Information Systems Centre (TEHIK) through straightforward administrative requests, according to reporting by Postimees. Crucially, the legitimacy of these requests is not meaningfully reviewed after the fact, and the individuals whose data is accessed are never notified.

No Oversight, No Transparency

The system allows police and other agencies to query personal health information without requiring judicial authorisation or triggering any automatic review process. Once a request is submitted, the data can be retrieved without any substantive check on whether the query was legally justified or proportionate.

This means that a person's most sensitive medical details — information that could include mental health records, prescriptions, diagnoses, and treatment history — may be examined by officials without the individual ever becoming aware that their privacy has been intruded upon.

Wider Implications for Data Rights

Privacy advocates and legal experts have long warned that Estonia's advanced digital infrastructure, while celebrated for its efficiency and innovation, also creates unique risks if access controls are inadequate. The ability to retrieve detailed health records with minimal friction and no notification requirement could conflict with both Estonian data protection law and EU GDPR principles.

The revelations highlight a tension at the heart of Estonia's digital society: the same systems that make government services seamless and fast can also enable surveillance or misuse of data if robust safeguards are not in place. It remains unclear how frequently such health data queries are made, by whom, and for what purposes.