Earlier this year we reported on the Irish Data Protection Commission’s (the “DPC”) investigation into the hospitals sector. In the course of the investigation the DPC physically inspected twenty hospitals across the country and prepared a comprehensive report (the “Report”) identifying fourteen areas of concern ranging from controls in medical records libraries and security to consent for research and data retention. The Report set out over seventy recommendations, including:
- restriction of staff access to medical records libraries to those who have a current need therefor and routinely report on staff access thereto as well as general swipe card access throughout the campus to ensure no unauthorised access;
- prohibition from accessing or editing, via other users’ accounts, the records of personal data on hospital computer systems;
- where patient data held on patient information systems is accessible to other hospital facilities in the same geographical region, informing patients accordingly by means of patient information leaflets given to each patient and the legal basis for such data sharing being clarified; and
- where hospitals need to share personal or sensitive personal data with other hospital facilities during the course of a patient’s care or treatment, making the patients concerned aware of the necessity for such data sharing and giving them the opportunity to consent to it.
At the start of this week, it was reported that the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados) imposed a €400,000 fine on the Barreiro Hospital.
The reported breaches which resulted in the imposition of this significant fine were:
- access to patients’ medical records by non-medical professionals; - a large discrepancy between the number of active users with a “doctor” profile and the actual number of doctors working in the hospital; and - failure to segregate Barreiro Hospital patient data from archived data of other hospitals.
The resemblance between the concerns identified in the Report and the data protection breaches which gave rise to the imposition of a significant fine by the Portuguese Data Protection Authority is striking. While the full impact of the General Data Protection Regulation is yet to be seen, the message from European data protection authorities five months on is clear – identify data processing security risks, enhance data protection compliance and raise awareness among staff of individuals’ data protection rights.