The Privacy Commissioner completes the Inspection of the Hospital Authority’s Personal Data System

1.    The Privacy Commissioner, Mr. Roderick B WOO (“the Commissioner”) has today sent to the Hospital Authority (“HA”) his report of the Inspection of HA’s personal data system which was carried out under section 36 of the Personal Data (Privacy) Ordinance (“the Ordinance”).

2.    The Inspection concerns itself with the adequacy of the patients’ data security system maintained by the HA.  The Ruttonjee Hospital and Tang Shiu Kin Hospital (which operates as a combined hospital) was chosen as the Hospital by which to assess the effectiveness of the HA’s management of its data system within its network of public hospitals.  The Hospital’s patients’ data system was examined on site and many of its personnel interviewed.

3.   “Although this is the first time that the power of inspection is exercised under the Ordinance, I am proud to say that with the assistance of the team of Consultants and the hard work of my staff, we have managed to identify expeditiously some areas of concern within the HA’s data system and have made some constructive recommendations which should help improve its personal data system in relation to the security of patients’ data.  I hope the HA will give full consideration to the recommendations and take all reasonably practicable steps to safeguard the security of patients’ data in compliance with the data protection principle in the Ordinance.  Above all, I hope by taking such steps, the risks of the recurrence of the data loss will be substantially reduced,” said Mr. Woo.

4.    The Commissioner intends to publish the Report under section 48(1) of the Ordinance.  However, he is required by law to give 28 days’ notice to the HA to advise whether there is any matter in the Report the disclosure of which would involve disclosure of personal data that are exempt from the provisions of DPP6 by virtue of an exemption under Part VIII of the Ordinance.  To ensure that all factual statements in the Report concerning the HA were accurate, the Commissioner had sent a draft of the Report on 18 June 2008 with a request for comments.  The HA suggested and the Commissioner agreed that none of the HA’s staff be disclosed in the Report.  The Commissioner now believes that a prompt response can be given by the HA to clear the way for the publication of the Report.  At this stage, the Commissioner is restrained by the duty of secrecy to give further details of the Report.

5.    The Inspection was amongst the series of actions taken by the Commissioner in response to the recent spate of data loss incidents.  The Inspection does not affect the various investigations currently undertaken by the Commissioner on specific incidents of data losses by individual hospitals under the HA’s management.