The Data Protection Commissioner (“DPC”) has recently published a report entitled “Data Protection Investigation in the Hospitals Sector” (the “Report”), which details an investigation into data protection in the healthcare sector, specifically across twenty hospitals carried out by the DPC’s Special Investigation Unit between January and December 2017. This was the first large-scale investigation of this kind ever undertaken in Ireland.

The investigation was carried out in consideration of the substantial volume of sensitive personal data processed in the healthcare sector. Sensitive personal data includes information on physical and mental health and sexual life.

The aim of the investigation was to make recommendations for improvements in the processing of patients’ personal data to ensure security and adherence with data protection regulation, and to improve the data protection infrastructure in the sector. The Report highlights fourteen matters of concern, and is intended to prompt an examination by all relevant sector bodies and hospitals of their facilities in light of these concerns.

The fourteen matters of concern were:

  1. controls in medical records libraries;
  2. security;
  3. storage of patient observation charts in hospital ward settings;
  4. storage of patient charts in trolley bins in ward settings;
  5. storage of confidential waste paper within the hospital setting;
  6. disposal of handover lists and patient lists;
  7. use of fax machines;
  8. lack of speech privacy;
  9. absence of audit trails;
  10. raising awareness of data protection in hospitals;
  11. consent for research;
  12. the processing of private health insurance information in hospitals;
  13. maternity service users; and
  14. data retention.

The Report set out over seventy recommendations, including:

  1. restriction of staff access to medical records libraries to those who have a current need therefor and routinely report on staff access thereto, as well as general swipe card access throughout the campus to ensure no unauthorised access;
  2. implementing automatic locking and logging off of computers in periods of inactivity;
  3. maintaining of more secure environments with respect to the filing of personal data and storage of charts, particularly during periods where a patient is waiting to be imminently seen by a consultant or otherwise;
  4. changing the standard practice of hanging patient observation charts on the end of the patient’s bed without any security, and covering of charts in transport (such as on hospital trolleys) to prevent third party access;
  5. the implementation of protocols (and training of staff) to handle a personal data breach to ensure compliance with the GDPR in this respect;
  6. the replacement of unsecure bins, bags and trays with secure, confidential waste bins;
  7. providing patients with the opportunity to move to a private space to discuss their health and not being expected to discuss any aspect of their condition, care or treatment in environments where they do not have privacy;
  8. making comprehensive information available to patients about the processing of their personal data and purposes therefor;
  9. staff training and refresher programmes to inform and remind staff of their obligations with respect to the data protection rights of patients, particularly for reception staff; and
  10. the implementation of procedures to safely destroy patient information once the applicable data retention period has been reached.

Hospitals and other healthcare bodies are encouraged to receive the Report as a useful tool to enable them to spot data risks and implement the necessary procedures and policies that will secure their facilities. This will ensure patients’ personal data is protected and that the processing of such data adheres to the GDPR.