DPC Investigates The Health Of Data Protection In Irish Hospitals

Author:Mr Seán O'Reilly and Kate Duffy
Profession:Ronan Daly Jermyn

The Data Protection Commissioner ("DPC") has recently published a report entitled "Data Protection Investigation in the Hospitals Sector" (the "Report"), which details an investigation into data protection in the healthcare sector, specifically across twenty hospitals carried out by the DPC's Special Investigation Unit between January and December 2017. This was the first large-scale investigation of this kind ever undertaken in Ireland.

The investigation was carried out in consideration of the substantial volume of sensitive personal data processed in the healthcare sector. Sensitive personal data includes information on physical and mental health and sexual life.

The aim of the investigation was to make recommendations for improvements in the processing of patients' personal data to ensure security and adherence with data protection regulation, and to improve the data protection infrastructure in the sector. The Report highlights fourteen matters of concern, and is intended to prompt an examination by all relevant sector bodies and hospitals of their facilities in light of these concerns.

The fourteen matters of concern were:

controls in medical records libraries; security; storage of patient observation charts in hospital ward settings; storage of patient charts in trolley bins in ward settings; storage of confidential waste paper within the hospital setting; disposal of handover lists and patient lists; use of fax machines; lack of speech privacy; absence of audit trails; raising awareness of data protection in hospitals; consent for research; the processing of private health insurance information in hospitals; maternity service users; and data retention. The Report set out over seventy recommendations, including:

restriction of staff access to medical records libraries to those who have a current need therefor and routinely report on staff access thereto, as well as general swipe card access throughout the campus to ensure no unauthorised access; implementing automatic locking and logging off of computers in periods of inactivity...

To continue reading