(24 October 2013) Hospital Authority ("HA") has been served an Enforcement Notice following a breach of the Personal Data (Privacy) Ordinance ("the Ordinance") for improper disposal of hospital waste containing the personal data of patients, the Office of the Privacy Commissioner for Personal Data ("PCPD") said today.
2. The media reported on 29 June 2012 and 3 September 2012 respectively that hospital waste containing patients' data were found abandoned on the street outside a shredding factory of Confidential Materials Destruction Limited ("CMDS") in Fanling (see Table below). CMDS has been appointed as the waste disposal service provider of the HA since 2009.
Table: The two incidents of failure to destroy personal data securely
| Waste items | Personal data of patients | Number of patients affected | Source |
|---|---|---|---|
| A roll of used printer ribbon | Names, HKID card numbers, dates of birth, gender, addresses and telephone numbers | 16 | Pok Oi Hospital ("POH") |
| Shredded strips of medical appointment slips | Names, gender, age and partial HKID card numbers | unknown | Our Lady of Maryknoll Hospital ("OLMH") |
3. Of relevance to this investigation is Data Protection Principle ("DPP") 4, in the Ordinance , which provides that a data user must take all reasonably practicable steps to ensure that the personal data it holds are protected against unauthorised or accidental access, processing, erasure or other .
4. Also, section 65(2) of the Ordinance stipulates that where a data user entrusts personal data to a data processor for processing on its behalf, the data user is still responsible for any act done by the data processor.
5.Under the contract between HA and CMDS ("Contract") effective from November 2009, wastes to be collected from hospitals and handled by CMDS are divided into three categories, namely:
| Category | Content | Treatment |
|---|---|---|
| A | "Confidential" and "Restricted" Waste Paper (contain personal data) |
Collection bag to be sealed with serialised sealing safety devices/labels Wastes to be shredded into strips of no more than 4 mm wide |
| B | Obsolete Forms/Booklets/Manuals (no personal data) | Wastes to be cut at least into two halves. |
| C | Used Thermal Ribbons (contain personal data) | Wastes to be shredded, but no width specification of the strips is provided in the contract |
HA's responsibility
6. CMDS denied responsibility for the two incidents. However, the Commissioner is of the view that the abandoned waste items, namely, POH's thermal ribbon and OLMH's medical appointment slips, were in all likelihood items that had been processed by CMDS at its Fanling factory. How these shredded wastes were abandoned on the street is yet unknown. They could have been taken away from the factory in an unauthorised manner or accidentally lost during transit to the landfills or CMDS' paper mills. By virtue of section 65(2) of the Ordinance, HA remains accountable for any unauthorised or accidental access of personal data contained in the abandoned waste in these incidents. In any event, HA admitted liability for the incidents.
Contractual omission in treatment of thermal ribbon
7. Security measures (such as the use of serialised sealing safety device or specifying the maximum width of shredding) are found in the Contract in relation to the processing of paper wastes containing patients' personal but not in relation to waste of thermal ribbon which similarly contain sensitive personal data of patients. In other words, there is no contractual requirement that the number of bags of thermal ribbon waste is checked to prevent accidental loss and no guarantee that the waste is shredded to the extent that the personal data contained therein could not be readily recognised or recovered.
Inadequate supervision of contractor
8. Under the Contract, HA and its hospitals are entitled to inspect the shredding process at CMDS' factory. If coordinated well and conducted as well as followed up properly, inspection is an effective tool to check the performance of the data processor and identify irregular practice for prompt rectification.
9. However, HA Head Office denied responsibility for centrally monitoring the inspections carried out by hospitals. There is no guideline or coordination between HA and hospitals as to any defined frequency, scope or reporting requirement for such inspections. Instead, hospitals decided on their own whether and how to conduct the inspection, and HA neither received nor asked to review the hospitals' inspection reports.
10. HA Head Office itself had conducted infrequent inspections of CMDS' factory - twice since 2009- but even these two rare inspections have identified key problems, namely, incomplete shredding of both the thermal ribbon and the confidential paper waste. But for such incomplete shredding of confidential paper and ribbon wastes, the abandoned hospital wastes found on the street would be plain and meaningless wastes, without any associated risk of personal data security.
11. Further, HA had not carried out any audit it is entitled to under the Contract to review or verify if CMDS had in fact complied with its obligations under the Contract and the requirements under the Ordinance. Compared with an inspection which applies to the shredding process only, an audit could include more comprehensive and in-depth examination of the whole handling process of HA hospital wastes that comprises waste segregation at the hospitals, collection by CMDS, transportation from hospitals to CMDS' shredding factory, the shredding process, and transportation of the shredded wastes from the factory to the landfills or paper mills.
12. On the basis that the Contract is inadequate to ensure proper and complete shredding of thermal ribbons, and HA has not competently managed the Contract, Mr Allan Chiang, Privacy Commissioner for Personal Data (the "Commissioner") concluded that HA had contravened DPP4 for having failed to take all reasonably practicable steps to ensure patients' personal data were protected against unauthorised or accidental access.
13. The Commissioner has served an Enforcement Notice on HA, directing it to:
(1) make reasonable endeavour to retrieve and destroy the abandoned hospital wastes identified in the two incidents;
(2) review and revise the hospital wastes disposal process, and implement at the minimum the following improvement measures : -
14. Mr Chiang stressed, "The breach illustrates the importance of keeping personal data secure at all times. An organisation's responsibility to keep personal data secure does not end when it is taken out of the building or outsourced."
15. Data users are obliged to protect personal data by reasonable security safeguards against such risks as loss, unauthorised access, destruction, use, modification or disclosure of data. This responsibility covers the complete data life cycle from data creation to final disposal.
16. "The potential harm to individuals from the misuse of their personal data, whether accidentally lost, leaked or purposely stolen, could be significant, particularly in the case of patients when sensitive medical records are involved. The unsatisfactory performance of CMDS as HA's contractor in the treatment of hospital wastes containing patients' personal data is unacceptable."
17. Under the Ordinance, the Commissioner has no authority to regulate directly the work of CMDS as a data processor. The onus is on HA to use contractual or other means to secure CMDS' compliance with the relevant provisions of the Ordinance.
18. "Regrettably, HA's oversight of CMDS' performance, in terms of contractual and procedural rigour as well as physical supervision, is far from satisfactory. At this critical time when the Government is about to introduce the e-Health Record Sharing System which has serious privacy implications, it is imperative for HA to measure up and demonstrate to the public its commitment to ensuring privacy and data protection", added Mr Chiang.
Read the Investigation Report: http://www.pcpd.org.hk/english/resources_centre/publications/files/R13_6740_e.pdf
Information Leaflet: Outsourcing the Processing of Personal Data to Data Processors http://www.pcpd.org.hk/english/resources_centre/publications/files/dataprocessors_e.pdf
- End -
Notes to Editors:
1. The PCPD is an independent statutory body set up to oversee the enforcement of the Personal Data (Privacy) Ordinance in Hong Kong.
2. Anyone who collects and use (including disclose and transfer) personal data must comply with the six Data Protection Principles (DPPs) of the Ordinance, which make sure that personal data is:
3. Non-compliance with DPPs does not constitute a criminal offence directly. But the Privacy Commissioner may serve an Enforcement Notice to direct the data user concerned to remedy the contravention. Contravention of an Enforcement Notice is an offence which could result in a maximum fine of HK$50,000 and imprisonment of up to 2 years.
4. If an enquiry /investigation finds prima facie evidence that an offence is involved, the Commissioner may refer the case to the police for criminal investigation or prosecution.