1.    The Privacy Commissioner for Personal Data Mr. Roderick B Woo provides a brief update on the progress of the Inspection against the Hospital Authority ("HA").

2.    The objective of the Inspection is to examine and assess the personal data system of the hospital under HA’s management with regard to the security of patients' data in compliance with the provisions of the Personal Data (Privacy) Ordinance, in particular Data Protection Principle 4 of Schedule 1 to the Ordinance in relation to data security.

3.    In accordance with the provisions of the Ordinance, the Commissioner issued a 14 days notice of Inspection to the HA on 8 May 2008 exercising his power of on-site Inspection.

4.    For the purpose of the Inspection, an Inspection Team was formed, comprising the Commissioner and the Deputy Commissioner, Mrs. Bonnie Smith, and officers from the Legal, Operations and Compliance Divisions.

5.    The Commissioner was fortunate in being able to form a team of consultants comprising eminent experts from the medical, information technology and legal professions.  They have agreed to become prescribed officers on a pro-bono basis to help the Privacy Commissioner in providing advice in the various aspects of the Inspection.  These consultants are :-

6.    The Commissioner has also engaged Mr. Patrick R. Moss as the Secretary to the Inspection Team.

7.    For the purpose of inspecting the personal data system of HA and how hospitals under its management effectively comply with its data security policies and practices, this Office obtained from the HA all relevant documents, manuals and guidelines and pertinent questions on data security.  These were closely assessed and appropriate requisitions were  raised and answered by the HA before the on-site inspection.

8.    On 16 May 2008, the Commissioner, the consultants and his Inspection Team visited a hospital under the HA’s management to pave the way for the Inspection.

9.    The Commissioner carried out the Inspection on 23 May 2008 together with the consultants, the Inspection Team, and 10 PCPD officers.  An additional 10 PCPD staff members also rendered support by providing clerical and logistics assistance.

10.    The Inspection was carried out in two ways.  On the one hand, the consultants and the Inspection Team walked through the hospital's personal data system and interviewed selected hospital staff members for practical assessment.  On the other hand, the Inspection Team and PCPD officers met more than 100 of the hospital staff members (who were selected on a random basis) to complete a questionnaire about the handling of patients' data at work.

11.    The Commissioner and his Inspection Team inspected the hospital again on 26 May 2008 to collect further information.

12.    "I am gratified by the fact that the management of the hospital was exceedingly friendly and cooperative and gave us a full picture of how they handle patients' personal data.  The doctors and officers at all levels in the hospital have been patient and helpful in providing every facility that the Inspection Team needed to do its job properly."  Mr. Woo said.

13.    At present, the Commissioner, with the consultants and his team, are compiling and analyzing the information obtained. They have had several meetings since the Inspection.  In due course, the Commissioner will with the advice and help of the consultants and the Secretary to the Inspection Team publish a report and make recommendations to the HA to promote its better compliance with the Ordinance for the purpose of protecting patients' personal data.