Data investigation raises concerns over privacy in hospitals

Data Protection Commissioner unit finds issues with handling of confidential records

A special investigation by the Data Protection Commissioner (DPC) into 20 hospitals throughout the State found concerns about the handling of confidential records and a lack of privacy for patients when discussing medical issues.

The investigation was one of several opened last year by commissioner Helen Dixon, whose annual report for 2017 is published on Tuesday.

The special investigation unit also examined governance issues at the Child and Family Agency, Tusla, the Government's public services card project, and practices in the private investigator sector.

The commissioner received a record number of complaints in 2017 from people concerned about their data protection rights. There were 2,642 complaints in 2017, up from 1,479 the previous year.


The hospitals investigation examined the processing of patients’ sensitive personal data in publicly accessible areas of the facilities.

It concentrated in particular on the circulation and journey of patient files, in order to identify any shortcomings in terms of meeting the requirements of the Data Protection Acts to keep personal data safe and secure and to have appropriate measures in place to prevent unauthorised access to or disclosure of personal data.

Inspections were carried out at HSE facilities, private hospitals and voluntary hospitals to give as broad an insight as possible into the processing of sensitive personal data in public areas of hospitals, the DPC’s annual report for 2017 said.

"On a geographic basis, the hospitals inspected represented a broad sample from across the State, with eight hospitals inspected in the Dublin area, five hospitals inspected in the greater Leinster region, two hospitals inspected in Connacht, four hospitals inspected in Munster and one hospital inspected in Ulster, " the DPC said.

The 20 hospitals have been asked to draw up action plans to implement the commissioner’s recommendations on areas of risk, and these will be monitored over the following 12 to 18 months.

The special investigation unit, headed by Assistant Data Protection Commissioner Tony Delaney, is currently drawing up an overall inspection report, which will be given to every hospital in the State in the first half of this year.

“This report will bring to the attention of hospitals generally the matters of concern found in the 20 hospitals inspected, including concerns about: controls in medical record libraries; storage of confidential wastepaper within the hospital setting, and lack of privacy when discussing medical and other personal issues,” the annual report said.

“It will also prompt all hospitals to examine whether any or all of those matters of concern are occurring or could occur in their hospital facility and, if so, to implement the recommendations we are making to remedy the situation.”

Tusla inquiry

A separate investigation into Tusla was opened in response to information that came into the public domain in February last year about the handling of personal data and sensitive personal data.

Inspections were carried out at Tusla offices in Limerick, Tralee, Kilkenny, Drogheda, Navan, Churchtown, Portlaoise, and at the Tusla head office in Dublin. Four of them were unannounced.

The investigators found evidence of “multiple and overlapping volumes of individual case files”, where no complete “master file” could be identified, and with no audit trail in relation to the handling of the files.

They said the processing of personal and sensitive personal data, in the context of Tusla’s record-keeping, was not sufficiently planned for in the form of a “robust data governance strategy” when the agency was established in 2014.

The DPC presented Tusla with the findings last month and requested a “plan of action” within two months.

In relation to the Government’s public services card project, the DPC said it expected to issue its findings to the Department of Employment Affairs and Social Protection during the first half of this year.

The commissioner received a record number of complaints in 2017 from people concerned about their data protection rights. There were 2,642 complaints to the office, up from 1,479 the previous year. The largest single category of complaint was in relation to people having problems getting access to data organisations held about them.

There was also an increase of almost 26 per cent in the number of data breaches reported last year, with 2,795 valid breaches reported.

Typical breaches included inappropriate handling or disclosure of personal data and access by third parties to personal data.