The Data Protection Commissioner’s office today published a report entitled “Data Protection Investigation in the Hospitals Sector.” The report was compiled following an investigation conducted in 2017 by the office’s Special Investigation Unit (SIU). The report was issued to every hospital in the State today.

 

 

The SIU investigation, which took place between January and December 2017, involved physical inspections by Authorised Officers at twenty hospitals across all geographic areas of the State spanning HSE facilities, private hospitals and voluntary hospitals. It was decided to conduct this special investigation arising from a number of factors such as the substantial volume of sensitive personal data which is processed on an ongoing basis in that sector; our awareness of some significant data security breaches in the sector in the previous decade; and the findings of data protection audits conducted in a number of hospitals by our Audit Team in recent years. The key focus of the investigation was to examine the processing of the personal data and sensitive personal data of patients in departments and areas of hospitals in Ireland to which patients and the general public have access. Based on the findings of the investigation and where issues of concern were identified with regard to data protection compliance, the aim of the investigation was to make recommendations for improvements with regard to the processing of patient data.

 

This overall investigation report draws from the findings of the individual inspection reports that were prepared following the inspections of each of the twenty hospitals.

 

 

The primary purpose of this investigation report is two-fold. Firstly, its purpose is to bring to the attention of every hospital in the State the matters of concern that our inspectors found in the sample of twenty hospitals inspected. Secondly, its purpose is to prompt every hospital in the State to examine whether any or all of the matters of concern highlighted in this report are occurring or could occur in its facility and, if so, to implement the recommendations we are making to remedy the situation.

 

 

This investigation report sets out fourteen main matters of concern that arose from the hospital inspections carried out in 2017. For each matter of concern, the report identifies risks and it sets out recommendations to mitigate those risks. Across the fourteen matters of concern, the report identifies a total of thirty five risks and it makes seventy-six recommendations to mitigate those risks. The matters of concern which arose are set out in the following fourteen categories:

 

 

The investigation report recognises that the implementation by hospitals of some of the report’s recommendations should take into account issues that relate to patient safety to ensure that an appropriate balance is achieved between mitigating the data protection risks and mitigating risks to patient safety.

 

 

We request all hospitals in the State to examine whether any or all of the issues highlighted in the fourteen matters of concern are occurring or could occur in its facility and, in doing so, to consider every part of the entire hospital campus as part of its examination. To assist hospitals in identifying the data protection risks relevant to their facilities and to aid them in deciding the remedial actions they intend to take to mitigate those risks, we have issued each hospital with a template data protection quality improvement plan. It will be necessary for each hospital to support the implementation of the report’s recommendations by putting in place the necessary infrastructure and resources that may be required as essential enablers.

 

 

Speaking today, the head of the SIU, Assistant Commissioner Tony Delaney stated: “I strongly urge every hospital to positively receive this investigation report and to embrace it as a very useful tool that will enable them to spot the significant data processing security risks that may permeate their facilities on a daily basis. No similar data protection investigation on this scale across twenty hospitals has ever been undertaken in the State previously. As a result, several of the risks identified in the matters of concern are ones that may not have been pointed out before to the hospitals sector. Awareness of the data protection security risks that exist in an organisation is an important first step on the road towards compliance followed closely by an acceptance that remedial steps are needed to address the situation. Once those early first steps are taken, planning the remedial action and delivering on an action plan are the next key steps that should be undertaken as soon as possible. Finally, it is critical that each hospital monitors the implementation of its action plan on a continuous basis not only during the implementation phases but thereafter to ensure that the addressed risks do not recur as a consequence of lack of oversight.

 

It is our belief that where hospitals identify in their facilities the risks outlined in this report and then address those risks by implementing our recommendations, they will foster a greater awareness among staff and management of the data protection rights of their patients. Ultimately hospitals should strive to ensure that the importance of data protection and patient confidentiality permeates the hospital culture at all times. Given the sensitive nature of the personal data that hospitals process on a 24/7 basis, it is critical that the protection of that data in a busy hospital environment is given the high priority that the data protection legislation requires. By studying this investigation report, carrying out a risk assessment and implementing the report’s recommendations, hospitals will positively enhance data protection compliance overall and drive greater awareness among their staff of the importance of protecting patient personal data that they process in the course of their daily duties.”

 

 

 

For media related queries, please contact Graham Doyle,

Head of Communications,

Data Protection Commissioner

 

Mob. 087-9392359

Email: media@dataprotection.ie