The Privacy Commissioner for Personal Data's investigation has found the United Christian Hospital has contravened the Personal Data (Privacy) Ordinance in the loss of a USB flash drive containing patients' personal data.

Releasing the report today, Commissioner Roderick Woo said before using a USB device, hospital staff should first consider whether there is a real need to use it or whether there is any other effective substitute, and assess the potential risk of using it.

"In this case, the medical staff could in fact substitute intranet for USB, which could minimise the risk and impact of losing patients' personal data. When transmitting data by electronic means, the issue of security should also be assessed appropriately."

The hospital has accepted the commissioner's recommendations and has implemented the data protection policy and guidelines set up by the Hospital Authority Task Force on Patient Data Security & Privacy.

It has provided hospital staff the procedural guidelines on the proper use of USB and has implemented technical improvement steps such as automatic encryption of patient data downloaded from our clinical systems to further protect the data and to enforce security.

For more details of the report click here.