Please use a Javascript-enabled browser. 080722en01002
news.gov.hk  
 From Hong Kong's Information Services Department
*
July 22, 2008
*
*

Personal data
*
Systematic patients-privacy audit urged
*
Office of the Privacy Commissioner for Personal Data

Privacy Commissioner Roderick Woo has advised the Hospital Authority to adopt a systematic privacy audit approach across all hospitals to detect any early sign of data breach or non-compliance.

 

In his inspection report published today, Mr Woo said the authority has in place detailed written policies and practices to deal with patients' data security - but the absence of a holistic approach make it difficult for medical staff to comply with the rules.

 

"There is also a pressing need for the HA to raise the level of privacy awareness of its staff by providing more training and education to promote compliance with the ordinance and to minimise the risk of future breaches through human errors," he added.

 

Key suggestions

He has made 37 recommendations to help the body improve patients' data management. Key suggestions include:

* to assign a committee or designated person to devise, update, review and consolidate in a timely manner all manuals, policies and practices in relation to patients' data security;

* to study the feasibility of using unique identifiers other than identity card numbers for purposes other than authentication of patients' identities of patients and drug  prescriptions;

* to conduct a security risk assessment on the current use of HKID numbers as identifiers,

* to consider, review and devise a retention policy for electronic data other than clinical data to prevent excessive hoarding of unnecessary data; and

* to devise procedures to ensure that when removable electronic storage devices are returned after use, all data are erased to industry standard.

 

Positive response

Welcoming the recommendations, Hospital Authority Chief Executive Shane Solomon said the suggestions will be studied in detail along with those of the authority's Taskforce on Patient Data Security & Privacy. 

 

He said the taskforce is expected to complete its report by mid-August, for its deliberation in the September board meeting.

 

The authority will set up a dedicated team to work solely on improving data security, including follow-up of the Privacy Commissioner's recommendations.

 

Mr Solomon said significant progress will be made in addressing the recommendations over the next 12 months.