Investigation report: Loss of USB flash drive
containing patients’ personal data by United Christian Hospital

1.    The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Roderick B. Woo published today (24 December) a report (“the Report”) on the result of an investigation of a complaint case carried out pursuant to section 38(a) of the Personal Data (Privacy) Ordinance (“the Ordinance”).  The case concerned the loss of a USB flash drive containing personal data of 26 patients by a staff member of the United Christian Hospital (“UCH”) which is under the management of the Hospital Authority (“HA”).

2.    After careful consideration of all the relevant facts the Commissioner found that UCH had contravened Data Protection Principle (DPP) 4 of Schedule 1 to the Ordinance which provides that a data user shall take all practicable steps to ensure that the personal data held by it are protected against unauthorized or accidental access, processing, erasure or other use.

3.    Under section 50 of the Ordinance, if the Commissioner is of the opinion that a data user has contravened a DPP and it is likely that the contravention will continue or be repeated, he may serve on the data user an enforcement notice.  However, as the staff of UCH had stopped using USB to store and transmit patients’ data, there was no evidence that the contravention of UCH would likely continue or be repeated.  Therefore, the Commissioner does not consider it necessary to serve an enforcement notice on the HA in respect of this case.

4.    As USB is portable and offers a wide range of uses, it is widely used by medical practitioners to store patients’ personal data.  But before using USB, they should first consider whether there is a real need to use it or whether there is any other effective substitute, and assess the potential risk of using USB.  In this case, the medical staff could in fact substitute intranet for USB, which could minimize the risk and impact of losing patients’ personal data.  When transmitting data by electronic means, the issue of security should also be assessed appropriately.

5.    The Commissioner’s comments on this case are, “It is no doubt that technological advancements can bring greater convenience to the workplace.  However, when using new technology to enhance work efficiency, data users should also raise the awareness and standard of requirements of their staff in the protection of personal data.  They should carry out timely reviews of their established policies and internal guidelines to keep pace with technological advance.  I learnt that after the incident, UCH had forbidden its staff to use USB to handle and store patients’ personal data (unless prior approval from the Chief Executive was obtained).  In any case I am pleased to know that HA has now in place relevant internal guidelines and application procedures on the use of USB.”

6.    The Report is available for download from PCPD’s website (www.pcpd.org.hk), and copies can also be collected at the Commissioner's Office.


END