Over on DataBreaches.net, I mentioned a previously unknown (to me) breach that was revealed in Ireland’s Data Protection Commissioner’s 2010 Annual Report. Another incident that the report included involved a medical privacy complaint. At pp. 82-83:
Case study 17: Inappropriate disclosure of medical research data
In March 2010 we were contacted by a lady who had received a telephone call from a university student asking if her husband would be interested in participating in a survey. The survey related to a disease suffered by her husband. As her husband was not at home at the time of the call, the lady suggested to the caller that she phone again at another time. On the following evening the lady answered the phone again to
a different student about the same matter. On this occasion she questioned the caller about how he had obtained information about her husband’s medical condition. She was informed that the student’s lecturer had obtained the data from an affiliated hospital where her husband attended as a patient. She contacted our Office about her concerns in relation to the disclosure of her husband’s sensitive medical information.From the outset of our investigation we received full cooperation from the hospital and from the university. The incident was treated seriously by both entities and it was accepted by all sides that a breach of the Data Protection Acts had occurred.
Background
The hospital has a strong commitment to clinical research with a view to improving care for patients. This can involve collaboration with other institutions including colleagues in its affiliated university. Typically in this type of collaborative research, the research team from the University work closely with a multidisciplinary team in the hospital for the duration of the research proposal. This study had the full support of the clinical staff and every effort was made to facilitate recruitment of patients for the study. The normal procedure for clinical research is to recruit patients through advertising or during their normal clinic attendances. In this case, a decision was made to extract data from the hospital database and contact patients directly by
telephone to arrange to meet them with a view to obtaining informed consent. This process change should have been brought to the attention of the relevant Ethics Committees. However, due to a misinterpretation of the approval and the researchers’ obligations under the Data Protection Acts, the Ethics Committees were not informed.The Breach
The breach of the Data Protection Acts took place when a qualified clinical researcher at the university was given printed copies of patient data from the hospital database relating to the disease under research. After initial attempts to contact patients at scheduled clinics, a decision was taken by the clinical research team to contact the patients directly.
Action Taken Following Breach
On becoming aware of the breach the hospital immediately began an investigation. The patient recruitment process was halted and the data was returned. A review of the hospital’s research ethics approval processes, data protection policies and communication procedures took place in the course of the investigation. It has
established guidelines and policies for ethical approval of research proposals involving patients. The review prompted an update of the application procedure to include more detailed requirements for researchers in regard to recruitment, data collation and data protection issues. In future, the hospital will ensure that applicants are informed of their obligations and insist on attendance at appropriate good practice in clinical research courses. The hospital will also include a section dedicated to awareness of data protection issues in their regular workshops for researchers.Following our investigation we are satisfied that a much greater focus will be applied to compliance with the Data Protection Acts in the course of such research projects. As the data controller in this instance, the hospital took full responsibility for the breach from the outset. It wrote to all of the affected patients to acknowledge the breach, to explain what had occurred and to apologise for it. The behaviour of the
hospital in responding to this issue was impeccable and reassure me of its commitment to data protection and its determination to learn from this experience.
Curiously, the Data Protection Commissioner did not name the university or the hospital, although he did name other entities that had breaches. Why wasn’t the hospital and university case study treated with the same transparency as the other incidents?