Fourteen main areas of concern regarding data in the Irish hospital sector have been identified in a special investigation carried out in 2017 by The Data Protection Commissioner’s office.
The report has identified risks for each matter of concern and set out recommendations to mitigate those risks.
Across the fourteen areas of concern, the report identified a total of thirty five risks and made seventy-six recommendations to mitigate those risks.
The report was compiled following an investigation conducted last year by the office’s Special Investigation Unit (SIU). The report has now been issued to every hospital in the State.
The areas of concern identified in the report are in the following fourteen categories:
- Controls in Medical Records Libraries
- Security
- Storage of Patient Observation Charts in Hospital Ward Settings
- Storage of Patient Charts in Trolley Bins in Ward Settings
- Storage of Confidential Waste Paper Within the Hospital Setting
- Disposal of Handover Lists and Patient Lists
- Use of Fax Machines
- Lack of Speech Privacy
- Absence of Audit Trails
- Raising Awareness of Data Protection in Hospitals
- Consent for Research
- The Processing of Private Health Insurance Information in Hospitals
- Maternity Service Users
- Data Retention
The SIU investigation, which took place between January and December 2017, involved physical inspections by Authorised Officers at twenty hospitals across all geographic areas of the State spanning HSE facilities, private hospitals and voluntary hospitals.
It was decided to conduct this special investigation arising from a number of factors such as the substantial volume of sensitive personal data which is processed on an ongoing basis in that sector, the awareness of some significant data security breaches in the sector in the previous decade and the findings of data protection audits conducted in a number of hospitals by the Commissioner’s Audit Team in recent years.
The key focus of the investigation was to examine the processing of the personal data and sensitive personal data of patients in departments and areas of hospitals in Ireland to which patients and the general public had access. Based on the findings of the investigation and where issues of concern were identified with regard to data protection compliance, the aim of the investigation was to make recommendations for improvements with regard to the processing of patient data.
The Data Commissioner’s Office said the primary purpose of this investigation report was two-fold. Firstly, its purpose was to bring to the attention of every hospital in the State the matters of concern that their inspectors found in the sample of twenty hospitals inspected. Secondly, its purpose was to prompt every hospital in the State to examine whether any or all of the matters of concern highlighted in this report were occurring or could occur in its facility and, if so, to implement the recommendations they were making to remedy the situation.
“The investigation report recognises that the implementation by hospitals of some of the report’s recommendations should take into account issues that relate to patient safety to ensure that an appropriate balance is achieved between mitigating the data protection risks and mitigating risks to patient safety.
“We request all hospitals in the State to examine whether any or all of the issues highlighted in the fourteen matters of concern are occurring or could occur in its facility and, in doing so, to consider every part of the entire hospital campus as part of its examination.
“To assist hospitals in identifying the data protection risks relevant to their facilities and to aid them in deciding the remedial actions they intend to take to mitigate those risks, we have issued each hospital with a template data protection quality improvement plan. It will be necessary for each hospital to support the implementation of the report’s recommendations by putting in place the necessary infrastructure and resources that may be required as essential enablers.”
The head of the SIU, Assistant Commissioner Tony Delaney said, “I strongly urge every hospital to positively receive this investigation report and to embrace it as a very useful tool that will enable them to spot the significant data processing security risks that may permeate their facilities on a daily basis. No similar data protection investigation on this scale across twenty hospitals has ever been undertaken in the State previously. As a result, several of the risks identified in the matters of concern are ones that may not have been pointed out before to the hospitals sector.
“Awareness of the data protection security risks that exist in an organisation is an important first step on the road towards compliance followed closely by an acceptance that remedial steps are needed to address the situation. Once those early first steps are taken, planning the remedial action and delivering on an action plan are the next key steps that should be undertaken as soon as possible. Finally, it is critical that each hospital monitors the implementation of its action plan on a continuous basis not only during the implementation phases but thereafter to ensure that the addressed risks do not recur as a consequence of lack of oversight.
“It is our belief that where hospitals identify in their facilities the risks outlined in this report and then address those risks by implementing our recommendations, they will foster a greater awareness among staff and management of the data protection rights of their patients.
“Ultimately hospitals should strive to ensure that the importance of data protection and patient confidentiality permeates the hospital culture at all times. Given the sensitive nature of the personal data that hospitals process on a 24/7 basis, it is critical that the protection of that data in a busy hospital environment is given the high priority that the data protection legislation requires. By studying this investigation report, carrying out a risk assessment and implementing the report’s recommendations, hospitals will positively enhance data protection compliance overall and drive greater awareness among their staff of the importance of protecting patient personal data that they process in the course of their daily duties.”