Privacy Commissioner Publishes Inspection Report on Hospital Authority

1.    The Privacy Commissioner (“the Commissioner”) Mr. Roderick B Woo publishes today his report of the inspection (“the Inspection”) of the Hospital Authority’s (HA) personal data system which was carried out under section 36 of the Personal Data (Privacy) Ordinance (“the Ordinance”)

Background

2.    The recent spate of incidents of loss of patients’ data contained in removable electronic storage devices, such as USB flash drives by individual hospitals under the management of the HA caused the Commissioner grave concern on the adequacy of the data security system of the HA to protect patients’ data, in particular, patients’ data held in electronic form.  In order to promote compliance by the HA with the requirements of the Ordinance, in particular, Data Protection Principle 4 (“DPP 4”) and to give useful recommendations, the Commissioner undertook the Inspection of the HA’s personal data system.

3.   The Ruttonjee and Tang Shiu Kin Hospital (“the Hospital”) were chosen as the sample of hospitals to assess the ways that the HA’s patients’ data system were implemented.  The Hospital is not a target of investigations currently being carried out by the Commissioner.

Inspection team and work done

4.    Apart from deploying the regular staff of the PCPD, the Commissioner invited four consultants coming from privacy, legal, medical and information technology fields to assist him in the Inspection.  They are Professor John Bacon-Shone, Mr. Christopher Cheuk Chan, Dr. Ho Chung-ping and Ir. Dr. Samson Tam Wai-ho.  The Commissioner also appointed Mr. Patrick R Moss to be the Secretary for the purpose of the Inspection.

5.    The team led by the Commissioner visited the HA Head Office on 9 May 2008 and visited the Hospital on 16, 23 and 26 May and 12 June 2008. 

6.     The Inspection work included:

(i)    the examination of the relevant policies, manuals and guidelines of the HA,
(ii)    face-to-face interviews with responsible personnel and some 100 randomly selected staff for completing questionnaire designed for this purpose, and
(iii)    the walk through of the various departments of the Hospital to examine the actual operation.  Meetings were also held with the senior management of the HA and the Hospital from time to time.

Observations of the Inspection Team

7.    The HA has in place fairly good and detailed written policies and practices to deal with patients’ data security.  However in the absence of a holistic approach, the profusion of these policies and practices have rendered compliance by busy medical staff difficult.  The Commissioner suggests that these policies and practices be consolidated, updated and reviewed systematically so as to help its staff to comply with same.

8.    In order to effectively enforce compliance by its staff of the data protection principles and practices, the HA should adopt a principled and systematic privacy audit approach across all hospitals so as to detect any early sign of data breach or non-compliance. 

9.    There is also a pressing need for the HA to raise the level of privacy awareness of its staff by providing more training and education in order to promote compliance of the Ordinance and to minimize the risk of future breaches through human errors.

Recommendations

10.    The Commissioner has made 37 recommendations to the HA with the following objectives:

(i)    That there should be systematic formulation, review and updating of the data security policies and practices and their effective dissemination to the HA staff;
(ii)    That the functional roles to be played by the HA’s Cluster Committees be clearly defined and that of the Data Controller strengthened to protect patients’ data security;
(iii)    That the security measures adopted by HA be strengthened to reduce the risk of unauthorized or accidental access to patients’ data;
(iv)    That HA should develop systematic data security audit methodology to be followed by all hospitals;
(v)    To tighten supervision of compliance and give more education and training to the staff;
(vi)    To make it a policy to conduct privacy impact assessment; and
(vii)    To give data breach notification upon happening of a data security breach.

A full version of the recommendations are set out in Chapter 6 of the Report.

11.    Mr. Woo said, “Throughout the inspection, I was mindful of the fact that hospitals exist primarily to save lives and that must be of primary concern to the public.  I also realize that no system or policy can completely eliminate human errors and that DPP 4 does not impose an absolute duty upon the data user to keep safe personal data.  I have therefore put forward recommendations which are reasonably practicable for the HA to follow.  I am pleased to say that the HA has taken a positive approach towards my recommendations and my suggestions on culture building in relation to information security and privacy.  In the end, let us hope that a security system which can better safeguard patients’ data security will emerge.”

12.    “Much as I would want to visit more public hospitals, resources and financial constraints have prevented me from doing so.  The carrying out of an inspection is labour intensive and I have deployed over half of the workforce at my disposal for completing the present task.  I hope this is not going to be the one and only inspection because it is clearly in the public interest that there should be more inspections.  The Government has to decide whether it will keep section 36 of the Ordinance alive by its allocation of resources without which the Commissioner cannot afford to make more inspections.” Mr. Woo said.

Note: The report is available for download from the website of the Commissioner's Office (http://www.pcpd.org.hk/english/publications/invest_report.html).



END