Hospitals to be inspected over handling of patient files

Data Protection Commissioner to examine how staff deal with sensitive information in public areas

Hospitals are to be inspected by the State’s data watchdog to ensure staff are respecting patient privacy when staff handle data in public areas.

Data Protection Commissioner Helen Dixon's office said on Tuesday it had finalised preparations to open a new investigation into the hospitals sector this year.

The office's special investigations unit will examine the processing of patient sensitive personal data in areas of hospitals in Ireland with patient and public access. It said that based on the findings of that examination it may make recommendations for improvements.

The inquiries will involve physical inspections at hospitals across the State, spanning HSE facilities, private hospitals and voluntary hospitals, to give “as broad an insight as possible into the processing of sensitive personal data in public areas of hospitals”.

READ MORE

“This investigation will focus on the circulation and journey of patient files in order to identify whether there are any shortcomings in terms of meeting the requirements of the Data Protection Acts to keep personal data safe and secure and to have appropriate measures in place to prevent unauthorised access to or disclosure of personal data,” the commissioner said.

Publishing her annual report for 2016, Ms Dixon also expressed concern about the implementation of large-scale government projects and about the need for transparency in delivering them.

She said the implementation of such projects without specific legislative underpinning, but “rather relying on generic provisions in various pieces of legislation, poses challenges in terms of the transparency to the public in relation to projects such as the Primary Online (primary schools) Database and the Public Services Cards and the uses to which personal data is now being applied”.

“While a lawful basis for such use of personal data can be cited, the need for notice and transparency is especially high in these types of cases and it is not always clear that public clarity has been delivered.”

The Government is currently preparing legislation that will outline parameters for the sharing of people’s personal information across public sector bodies.

On its regulation of multinational companies in Ireland, the commissioner’s office said its supervision such firms was now being delivered by a new multinationals and technology team.

This ensured its regulatory activities for each multinational were coordinated and that they were well placed for the new EU General Data Protection Regulation in May 2018.

Ms Dixon said her office had been engaged directly with both Facebook and WhatsApp over the past months to address concerns that arose last year over how the phone messaging app was obtaining consent from users to share data across the Facebook group.

The DPC also investigated a massive data breach reported by Yahoo in September last year. The internet giant, which has its European headquarters in Ireland, revealed the accounts of 500 million users had been stolen and copied in 2014.

The commissioner said that during the course of the investigation, Yahoo had reported further, separate breaches which were also in the public domain and which her office continued to assess.

Ms Dixon said the massive data breaches suffered by Yahoo provided “a salutary reminder of the sheer quantity of our personal data stored by online service providers”.

As in previous years, the range of issues her office dealt with continued to expand rapidly.

“So too does our responsibility to individuals across Ireland and the EU. The main drivers are the unrelenting pace in the growth of the internet and technological innovations such as artificial intelligence and the Internet of Things, as well as the continuing presence in Ireland of most of the world’s leading technology and internet companies,” the commissioner added.