DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Case study from Ireland's Data Protection Commissioner reveals need for ethics review in research recruitment to protect privacy

Posted on May 30, 2011 by Dissent

Over on DataBreaches.net, I mentioned a previously unknown (to me) breach that was revealed in Ireland’s Data Protection Commissioner’s 2010 Annual Report. Another incident that the report included involved a medical privacy complaint. At pp. 82-83:

Case study 17: Inappropriate disclosure of medical research data

In March 2010 we were contacted by a lady who had received a telephone call from a university student asking if her husband would be interested in participating in a survey. The survey related to a disease suffered by her husband. As her husband was not at home at the time of the call, the lady suggested to the caller that she phone again at another time. On the following evening the lady answered the phone again to
a different student about the same matter. On this occasion she questioned the caller about how he had obtained information about her husband’s medical condition. She was informed that the student’s lecturer had obtained the data from an affiliated hospital where her husband attended as a patient. She contacted our Office about her concerns in relation to the disclosure of her husband’s sensitive medical information.

From the outset of our investigation we received full cooperation from the hospital and from the university. The incident was treated seriously by both entities and it was accepted by all sides that a breach of the Data Protection Acts had occurred.

Background

The hospital has a strong commitment to clinical research with a view to improving care for patients. This can involve collaboration with other institutions including colleagues in its affiliated university. Typically in this type of collaborative research, the research team from the University work closely with a multidisciplinary team in the hospital for the duration of the research proposal. This study had the full support of the clinical staff and every effort was made to facilitate recruitment of patients for the study. The normal procedure for clinical research is to recruit patients through advertising or during their normal clinic attendances. In this case, a decision was made to extract data from the hospital database and contact patients directly by
telephone to arrange to meet them with a view to obtaining informed consent. This process change should have been brought to the attention of the relevant Ethics Committees. However, due to a misinterpretation of the approval and the researchers’ obligations under the Data Protection Acts, the Ethics Committees were not informed.

The Breach

The breach of the Data Protection Acts took place when a qualified clinical researcher at the university was given printed copies of patient data from the hospital database relating to the disease under research. After initial attempts to contact patients at scheduled clinics, a decision was taken by the clinical research team to contact the patients directly.

Action Taken Following Breach

On becoming aware of the breach the hospital immediately began an investigation. The patient recruitment process was halted and the data was returned. A review of the hospital’s research ethics approval processes, data protection policies and communication procedures took place in the course of the investigation. It has
established guidelines and policies for ethical approval of research proposals involving patients. The review prompted an update of the application procedure to include more detailed requirements for researchers in regard to recruitment, data collation and data protection issues. In future, the hospital will ensure that applicants are informed of their obligations and insist on attendance at appropriate good practice in clinical research courses. The hospital will also include a section dedicated to awareness of data protection issues in their regular workshops for researchers.

Following our investigation we are satisfied that a much greater focus will be applied to compliance with the Data Protection Acts in the course of such research projects. As the data controller in this instance, the hospital took full responsibility for the breach from the outset. It wrote to all of the affected patients to acknowledge the breach, to explain what had occurred and to apologise for it. The behaviour of the
hospital in responding to this issue was impeccable and reassure me of its commitment to data protection and its determination to learn from this experience.

Curiously, the Data Protection Commissioner did not name the university or the hospital, although he did name other entities that had breaches. Why wasn’t the hospital and university case study treated with the same transparency as the other incidents?

Category: Health Data

Post navigation

← A future where we carry our genomes on our smartphones
Breaches Lead to Push to Protect Medical Data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.