Health staff will require better training in how to handle personal data following two complaints which triggered lengthy investigations, the ODPA has ordered.
The investigations found that mandatory training for staff was not good enough, monitoring and enforcement processes for the training were “ineffective”, and policies for when a staff member leaves had not be observed.
One complainant highlighted several instances where their medical records were accessed on hospital systems without good reason. In this case, staff had not completed the mandated training required and poor follow-up procedures failed to identify the disconnect.
The second complaint concerned staff using a patient’s personal device for work purposes since an official HSC laptop had not been returned following the departure of another staff member, and alternative devices were unavailable.
“HSC was unaware that the device was missing at the time due to the leavers process that was in place having not been correctly followed,” the ODPA said.
“Had a robust process been in place and implemented, this incident may have been avoided entirely. It is understood that workplace devices have since been issued."
HSC were noted to process “large amounts of very sensitive personal data raising the risk level of any processing and requiring more robust compliance as a result”.
Pictured: Medical records were incorrectly accessed by staff.
The ODPA ultimately concluded that HSC failed to comply with data protection principles, failed to comply with those principles by not having staff training or staff leavers policies which were robust enough, and did not take reasonable steps to ensure the security of personal data.
In a public statement issued yesterday, the Data Protection Authority said “process and governance matters. The greater the potential harm, the more robust the process should be.
“It should be noted that even minor procedural missteps can have significant and sometimes entirely unexpected consequences. It is not enough to react to data protection issues; controllers must be proactive in how they assess and manage risk in their organisations.”
HSC has until the end of March to demonstrate that it has improved processes in the areas investigated.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.