Hospital staff given access to patient records for research without consent - report

Major investigation by Data Protection Commissioner examines privacy practices at 20 hospitals

Medical staff in a hospital were given access to patient files for their research and studies without the consent of the patients concerned, a major investigation by the Data Protection Commissioner has found.

The investigation into the treatment of confidential patient records at 20 hospitals across the State by the regulator’s special investigation unit commenced in January last year and took over a year to complete.

Inspectors uncovered a range of problems where confidential patient files were potentially exposed, including to potential “snooping” by staff who had no legitimate reason to access them, and a lack of proper audit trails to show who had accessed computer records and whether they had been edited.

There were 259 risks identified by inspectors across the 20 hospitals examined.


The inspectors examined the processing of sensitive patient data in areas to which patients and the public have access, finding that files were sometimes not properly protected from disclosure to people who should not have access to them.

In some cases, auditors from health insurance companies were also able to access the full details of a patient’s medical history, even though the auditors should only have had access to details relating to a specific claim made against the patient’s health insurance.

The report also makes recommendations that hospitals should ensure patients have “speech privacy” so they are able to discuss their personal and health information without being overheard by people, including other patients.

The audit covered Health Service Executive (HSE) facilities, private hospitals and voluntary hospitals.

Eight hospitals were inspected in the Dublin area, five in the greater Leinster region, two in Connacht, four in Munster, and one hospital was inspected in Ulster.

The 20 hospitals subjected to the special investigation were the Royal Victoria Eye and Ear Hospital, Dublin, the Mater hospital, Beaumont Hospital, Our Lady's Children's Hospital, Crumlin, Tallaght hospital, the Blackrock Clinic, the National Maternity Hospital, Holles Street, St Vincent's University Hospital and the Midlands Regional Hospital, Mullingar.

Also examined were Aut Even Hospital and St Luke’s Hospital in Kilkenny, Our Lady’s Hospital, Navan, Wexford General Hospital, the Bon Secours Hospital, Cork, Cork University Hospital, University Hospital Kerry, University Hospital Limerick, Sligo University Hospital, University Hospital Galway, and Letterkenny University Hospital in Donegal.

The Data Protection Commissioner’s report said it was intentionally not identifying by hospital the specific matters of concern that arose in each of the hospitals inspected.

Matters of concern identified during the inspections were ones that likely currently arose in other hospital facilities throughout the State, it said.

Assistant data protection commissioner Tony Delaney, who led the investigation, said every hospital in the State needed to examine whether any or all of the matters of concern highlighted were occurring or could occur in their own facilities . If they were, they should implement the recommendations made in the report to remedy that.

In relation to the hospital where staff, including trainee doctors and nursing staff, were given access to patients’ records for their own research purposes or further studies, Mr Delaney said the hospital “considered that they were the data controller and there was no issue with allowing their staff to access the records”.

“It had been going on for probably years. Nobody had questioned it before until we came upon it.”

Mr Delaney said the inspection team made recommendations for change and the hospital had undertaken to review what it was doing.

The report also recommends that pregnant women should be given the right to decide whether to accept custody of their maternity healthcare records during pregnancy in order to protect them from any possible negative consequences due to their domestic circumstances.

Mr Delaney told The Irish Times the top risks identified in the investigation included the use of open-topped trolleys to transport patient records around the hospital facilities.

The storing of patient charts in an unprotected manner outside consultation rooms was also an issue.

“Data protection compliance goes to the very heart of the dignity of care of patients. In my view, patients should not be unpleasantly surprised, or indeed disappointed with the treatment of their personal data while they are in hospitals,” he said, noting hospitals were custodians of “vast” quantities of the most sensitive personal data.

The report, Data Protection Investigation in the Hospitals Sector, is being issued to every hospital in the State on Monday.

It warns that some hospitals are engaged in practices that may risk breaching current data protection legislation, as well as being in breach of the EU’s General Data Protection Regulation, a major new regime, which will be enforceable from next Friday.