“Human factors always play a significant role in data breaches.” These simple but wise words resonated in our review of a recent investigation report published by the Privacy Commissioner in Hong Kong on 13 June 2022 regarding the loss of physical files containing sensitive personal data by Town Health Medical & Dental Services Limited (“Town Health”). Pádraig Walsh from our Data Privacy Practice Group shares some points for us all to remember.
Town Health is a well-known medical service provider in Hong Kong, with over 100 medical centres across the city providing general and specialists practice services and dental consultations. The data breach incident occurred at one of its centres.
Town Health had a practice of moving inactive patient medical records from its centres to a central warehouse for storage. On 14 March 2021, a health care assistant was performing the task of selecting physical files to be sent to storage. She placed the files in a carton box. The health care assistant did not complete the task at one time, and set the carton box in her working area intending to resume later that day. The carton box was near a trash bin. A cleaner mistakenly treated the carton box as waste and disposed of the carton box together with other waste.
The health care assistant informed her supervisor of the incident the next day, on 15 March 2021. On 2 June 2021, Town Health lodged a data breach notification with the Privacy Commissioner for Personal Data (“PCPD”).
The incident affected 294 patients and included the loss of personal data such as names, telephone numbers, HKID card numbers, addresses, dates of birth, patient and medical card numbers, diagnosis records, medication records and laboratory results–all sensitive personal data.
Town Health had specific guidelines for handling personal data, medical records, and cleaning. These were provided to staff when employed and posted on the premises. However, Town Health did not provide training on personal data protection for its frontline staff before the incident.
The PCPD found that Town Health had these deficiencies in ensuring the security of personal data:
- Lack of staff awareness of personal data protection. The incident occurred because of human inadvertence. The health care assistant and cleaner did not take heed of data security.
- Lack of effective data protection policies and procedures. The policies of Town Health were not sufficiently comprehensive or specific.
- Lack of staff training on personal data protection. Town Health did not provide training for its frontline staff on the protection of personal data.
These findings formed the basis for the PCPD to decide that Town Health had not taken all practicable steps to ensure that the medical records in question were protected from unauthorised or accidental access, processing, erasure, loss or use. The misstep was a contravention of Data Protection Principle (“DPP”) 4(1) concerning the security of personal data under the Personal Data (Privacy) Ordinance (“PDPO”). The PCPD issued an enforcement notice to Town Health, directing Town Health to take steps focused on improving policies and procedures, effectively monitoring compliance by staff and third-party contractors, and providing training on data protection.
The investigation report highlights some interesting features to keep in mind.
The physical world: These days, it seems that data breaches occur only in the digital world created by bits and bytes. However, personal data is in the physical world around us. Here, sensitive personal data was in paper files awaiting delivery to storage. One of the recommendations of the PCPD was that organisations must adopt the same level of security measures for processing personal data, whether computerised or physical and should also allocate resources to strengthen security measures to protect physical data.
Training and awareness: The PCPD noted that human factors always play a significant role in data breaches; this was another example. How can organisations protect against human error? Training and awareness programmes. People do not consistently rise to the summit of their ambitions but consistently fall to the level of their training. The PCPD recommended that organisations enhance employee awareness of personal data protection and embed this principle within the corporate culture. These practices should include regular and comprehensive training on personal data protection and management oversight that ensures that personal data protection is an integral part of daily employment duties. You can read our thoughts on this topic here.
Notification: In Hong Kong, there is no statutory obligation under the PDPO to notify the PCPD or data subjects if a data breach occurs. However, timely notification is recommended best practice with supporting guidelines published by the PCPD setting out the expected (though non-binding) standards for notification. In its report, the PCPD comprehensively explained why organisations should adopt a policy of making prompt data breach notifications. The PCPD will provide organisations with advice to help them respond promptly to incidents intended to minimise loss and damage. It will also provide further guidance on improving systems and policies to prevent a recurrence. Conversely, declining to notify or delaying notification can multiply the damage and loss incurred. The key message of the PCPD is that data breach notification is not inherently punitive.
Given the relatively modest size of the medical centres operated by Town Health, the remedial measures taken by Town Health are an instructive guide to positive steps that small and medium-sized businesses can take in respect of data protection.
Town Health took immediate steps to recover the lost files, but in vain. They notified the affected patients either by phone or in writing. They engaged an external cleaning company to provide cleaning services to all its centres. They published revised cleaning guidelines, required the cleaning company to comply, and directed its health care assistants to monitor and report quarterly on cleaning standards. They updated policies on inactive medical records. These remedial steps were positively noted in the incident report from the PCPD.
Town Health has also appointed a data protection officer. In Hong Kong, appointing a data protection officer is not mandatory, though it is a recommended best practice. The appointment of a data protection officer can provide a focal point for personal data protection. The appointment was likewise positively noted in the incident report from the PCPD.
The PCPD rightly takes the view a privacy management programme is needed to establish and maintain a proper system for the responsible use and retention of personal data. Privacy needs a programme that effectively manages the personal data lifecycle from collection to erasure and handles data breach incidents promptly. The design, implementation and maintenance of systems and policies under a privacy management programme ultimately embeds a culture of personal data protection in an organisation.
Culture. How do you create it? Businesses should have a culture of personal data protection. It is a simple statement with which few business leaders would disagree. How can you implement this noble aspiration in daily practice?
The answer lies in training and awareness programmes that are part and parcel of a privacy management programme. A privacy management programme operationalises personal data protection in the systems and policies of the business. Training. Policies. Systems. This is the hard work and pragmatic reality of personal data protection.
A penny of prevention is always better than a pound of cure.