DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Case study from Ireland's Data Protection Commissioner reveals need for ethics review in research recruitment to protect privacy

Posted on May 30, 2011 by Dissent

Over on DataBreaches.net, I mentioned a previously unknown (to me) breach that was revealed in Ireland’s Data Protection Commissioner’s 2010 Annual Report. Another incident that the report included involved a medical privacy complaint. At pp. 82-83:

Case study 17: Inappropriate disclosure of medical research data

In March 2010 we were contacted by a lady who had received a telephone call from a university student asking if her husband would be interested in participating in a survey. The survey related to a disease suffered by her husband. As her husband was not at home at the time of the call, the lady suggested to the caller that she phone again at another time. On the following evening the lady answered the phone again to
a different student about the same matter. On this occasion she questioned the caller about how he had obtained information about her husband’s medical condition. She was informed that the student’s lecturer had obtained the data from an affiliated hospital where her husband attended as a patient. She contacted our Office about her concerns in relation to the disclosure of her husband’s sensitive medical information.

From the outset of our investigation we received full cooperation from the hospital and from the university. The incident was treated seriously by both entities and it was accepted by all sides that a breach of the Data Protection Acts had occurred.

Background

The hospital has a strong commitment to clinical research with a view to improving care for patients. This can involve collaboration with other institutions including colleagues in its affiliated university. Typically in this type of collaborative research, the research team from the University work closely with a multidisciplinary team in the hospital for the duration of the research proposal. This study had the full support of the clinical staff and every effort was made to facilitate recruitment of patients for the study. The normal procedure for clinical research is to recruit patients through advertising or during their normal clinic attendances. In this case, a decision was made to extract data from the hospital database and contact patients directly by
telephone to arrange to meet them with a view to obtaining informed consent. This process change should have been brought to the attention of the relevant Ethics Committees. However, due to a misinterpretation of the approval and the researchers’ obligations under the Data Protection Acts, the Ethics Committees were not informed.

The Breach

The breach of the Data Protection Acts took place when a qualified clinical researcher at the university was given printed copies of patient data from the hospital database relating to the disease under research. After initial attempts to contact patients at scheduled clinics, a decision was taken by the clinical research team to contact the patients directly.

Action Taken Following Breach

On becoming aware of the breach the hospital immediately began an investigation. The patient recruitment process was halted and the data was returned. A review of the hospital’s research ethics approval processes, data protection policies and communication procedures took place in the course of the investigation. It has
established guidelines and policies for ethical approval of research proposals involving patients. The review prompted an update of the application procedure to include more detailed requirements for researchers in regard to recruitment, data collation and data protection issues. In future, the hospital will ensure that applicants are informed of their obligations and insist on attendance at appropriate good practice in clinical research courses. The hospital will also include a section dedicated to awareness of data protection issues in their regular workshops for researchers.

Following our investigation we are satisfied that a much greater focus will be applied to compliance with the Data Protection Acts in the course of such research projects. As the data controller in this instance, the hospital took full responsibility for the breach from the outset. It wrote to all of the affected patients to acknowledge the breach, to explain what had occurred and to apologise for it. The behaviour of the
hospital in responding to this issue was impeccable and reassure me of its commitment to data protection and its determination to learn from this experience.

Curiously, the Data Protection Commissioner did not name the university or the hospital, although he did name other entities that had breaches. Why wasn’t the hospital and university case study treated with the same transparency as the other incidents?

No related posts.

Category: Health Data

Post navigation

← A future where we carry our genomes on our smartphones
Breaches Lead to Push to Protect Medical Data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hunters International to provide free decryptors for all victims as they shut down (1)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case
  • Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen
  • Hacker with ‘political agenda’ stole data from Columbia, university says
  • Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.