The investigation was conducted in 20 hospitals throughout 2017 by the Special Investigations Unit, spearheaded by Assistant Commissioner Tony Delaney. The focus of the investigation was "to examine the processing of the personal data and sensitive personal data of patients in departments and areas of hospitals in Ireland to which patients and the general public have access".
Unsurprisingly, hospitals deal with large volumes of sensitive personal data on a daily basis. This can be in the form of patient charts in the wards and on trolleys, private health insurance information and files from General Practitioners sent by fax, the use of which is still widespread in hospitals.
In total the report highlighted 35 risks and offered 76 practical recommendations to mitigate those risks and improve data protection and privacy.
A prevalent issue many patients or visitors to a hospital have encountered is the lack of speech privacy. When talking at a reception desk sensitive personal data is shared with and handled by receptionists, but this information can often be easily overheard by nearby third parties. In order to counteract this the DPC recommends simple but effective solutions such as putting line markings on the floor to ensure adequate space is given as well as the implementation of a ticketing system to control queues.
In relation to the storage of patient observation charts it was noted that these are often stored outside the door of a patient's room or on the end of their trolley. Such storage is not secure as third parties can easily access and read the medical details contained in the chart.
The DPC recommended that the charts instead "be stored securely in a protected environment, in the immediate vicinity of the patient’s ward or room if necessary, where they are accessible only to hospital staff who have a professional need to access them". However, the DPC understands that in certain instances immediate access to a patient's chart will be necessary and so it is noted that hospitals should take steps "to ensure that an appropriate balance is achieved between mitigating the data protection risks outlined above and mitigating risks to patient safety".
Commenting on the report Tony Delaney stated that "no similar data protection investigation on this scale across twenty hospitals has ever been undertaken in the State previously. As a result, several of the risks identified in the matters of concern are ones that may not have been pointed out before to the hospitals sector. Awareness of the data protection security risks that exist in an organisation is an important first step on the road towards compliance followed closely by an acceptance that remedial steps are needed to address the situation."
The remedial steps recommended are divided into hospital specific and sector-wide categories. The DPC noted that "the implementation of the recommendations will not be achieved by simply issuing reminders to staff or by creating standard operating procedures. Rather, it will be necessary for each hospital to support the implementation of the recommendations by putting in place the necessary infrastructure and resources that may be required as essential enablers."
The DPC pointed out that the additional staffing resources they have received allowed them to fund and carry out this investigation. It seems likely that with further increased funding the DPC will carry out more sector specific special investigations.
The full report can be found here.