PCPD - Privacy Commissioner welcomes HA's new measures on the protection of patients' personal data

Date: 4 August 2009

Privacy Commissioner Welcomes Hospital Authority's New Measures on the Protection of Patients' Personal Data

1.   Last year, the Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Roderick B. Woo recommended to the Hospital Authority (“HA”) to use unique identifiers and not Hong Kong identity card numbers for purposes other than (a) identity authentication of patients and (b) the prescription of drugs so as to minimize the risk of leaking patients’ data caused by human errors. The Commissioner is pleased that the HA has begun to implement his recommendation.

2.    Following a series of patients’ data leakage incidents in various public hospitals last year, the Commissioner inspected HA’s patients’ data system and published a Report on 22 July 2008 in which he made 37 recommendations to the HA to improve the system. He suggested that unique identifiers be used instead of patients’ Hong Kong identity card numbers for purposes other than authentication of the patients’ identities and the prescription of drugs. The Report can be viewed at the website of the Office of the Privacy Commissioner for Personal Data (“PCPD”) (http://www.pcpd.org.hk/english/publications/invest_report.html).

3.    Since then, the HA has been submitting quarterly progress reports to the Commissioner. In the first progress report submitted in October 2008, the HA advised the Commissioner that it had designated an officer to be responsible for the coordination of information technology security and privacy protection programmes. Encryption of portable computing devices was in progress to prevent unauthorized access to downloaded patients’ data. Moreover, a centralized email server was being developed to enhance email security through centralized policies and encryption tools.

4.    The Commissioner was advised by HA’s second progress report submitted in March 2009 that a head office and cluster levels Security and Privacy Committee had been set up and all matters relating to patients’ privacy would be handled by specific personnel. The HA was actively studying the feasibility of using unique identifiers other than patients’ Hong Kong identity card numbers for purposes other than authentication of patients’ identities and the prescription of drugs. Moreover, new policies would restrict the downloading of patients’ data by HA’s staff and require the use of encryption in any downloading to portable electronic storage devices. In case of patients’ data leakage, the HA would follow the new policies and inform the affected patients as well as the Commissioner, and take remedial action.

5.    The PCPD is currently waging a “Care for patients – Protect their personal data” Campaign to enhance HA’s staff’s awareness of protecting patients’ data privacy rights. Since May 2009, the PCPD has organized 22 seminars on personal data protection at Pamela Youde Nethersole Eastern Hospital, Ruttonjee Hospital, Cheshire Home Chung Hom Kok, St. John Hospital, Wong Chuk Hang Hospital, Tung Wah Eastern Hospital, United Christian Hospital, Tseung Kwan O Hospital and Bradbury Hospice. Responses were good and an audience of 2,792 people has been recorded. Over 2,000 people have also visited the PCPD’s “Privacy Desk” and display panels in various hospitals.

6.    The PCPD will visit Haven of Hope Hospital, Shatin Hospital, Prince of Wales Hospital, Alice Ho Miu Ling Nethersole Hospital, Cheshire Home Shatin and other hospitals to continue the Campaign.

7.    The Commissioner understands that the working hours of medical practitioners are not fixed, so an online self-training module on privacy protection is being designed to enable HA staff to learn more about the protection of patients’ personal data without any time constraint.

END