Privacy Commissioner commits himself to securing patients' data

Sequence of events

1.    On 25 April 2008, two incidents of loss of patients' data in Tuen Mun Child Assessment Centre under the management of the Director of Health and the United Christian Hospital were reported.  The number of patients involved was 700.

2.    On 5 May 2008, Chief Executive of the Hospital Authority announced that there had been nine incidents of loss of patients’ data in the past 12 months in five hospitals.  The number of patients involved was increased to 6,000.

3.    In the early evening of 5 May 2008, the Office of the Privacy Commissioner for Personal Data received a call from the Prince of Wales Hospital and learned that a flash drive containing the personal data of 10,000 patients had been lost.  This took the total number of patients up to 16,000.

4.    The Privacy Commissioner for Personal Data, Mr. Roderick B Woo, says, "It is evident that the very many cases of loss of patients’ data by various hospitals have shocked the public.  And, rightly so.  I have therefore ordered immediate actions to be taken under the Personal Data (Privacy) Ordinance (the Ordinance) with a view to securing the safety of patients' data in the future."

Actions taken by the Commissioner

In the case of United Christian Hospital where an employee lost a USB flash drive

5.    Following the verification of a complaint, the Privacy Commissioner has today started an investigation against the Hospital Authority ("HA") under section 38(a) of the Ordinance.  A summon has been issued requiring the officer-in-charge to come before the Commissioner to give evidence relating to this incident.  Meanwhile, the hospital has confirmed that the use of USB flash drives to transfer patients' personal data has been suspended.

In the 3 cases of data loss by Tuen Mun Child Assessment Centre, Kowloon Hospital and Pamela Youde Nethersole Eastern Hospital, where no complaints had been received.

6.    The Privacy Commissioner approached HA and the Department of Health ("D of H") on 28 April 2008 asking for information relating to the loss  which had occurred, and the security measures and policies and practices which were in place. While the Commissioner was anxiously awaiting to hear from HA and D of H, he was surprised to learn yesterday of the additional hitherto unpublicised losses of patients' data.  He has therefore started a self-initiated investigation under section 38(b) against both organizations as of today.  During the investigation, he shall call for all relevant information and may also summon witnesses to give evidence before him.

7.    "I am deeply concerned that these data losses might well be just the tip of the iceberg.  Even taken at face value, the situation is very worrying not just to this Office but to the general public.  Patients' data are regarded by all civilized societies as sensitive personal data and must be handled with due respect and care.  I am determined to do my utmost to help improve the protection of patients' data." Mr. Woo said.

Action to be taken

a) Investigation of the remaining data loss cases

8.    The Commissioner are probing into the other data loss cases involving (a) Queen Mary Hospital and (b) Prince of Wales Hospital.  He shall in due course decide what actions to take.

b) Inspection of HA's system

9.    The series of incidents reveal the inadequacies of the personal data system operated by HA which needs urgent inspection and review to prevent future similar occurrences.  Since a substantial number of patients' data can be accessed and used by the employees of HA for designated purposes, it is imperative that the whole system should be carefully examined and subject to random inspection.

10.    The Commissioner finds it in the public interest to exercise his power under section 36 to conduct an inspection of the personal data system operated by HA with a view to making recommendations to promote compliance with the Ordinance. The exercise of the inspection power under the Ordinance is in addition to, and does not affect, the carrying out of the investigations concurrently taken by the Privacy Commissioner.  This will be the first time such power is exercised.

NB  Please refer to the attached explanatory note on the Commissioner's power to inspect personal data systems.



END