The Office of the Privacy Commissioner for Personal Data in Hong Kong has published a report on an investigation into the Hospital Authority’s data security practices.
The investigation arose after two incidents in 2012 when a passerby found patient information from two hospitals in the street near the Hospital Authority’s contractor for shredding services. The hospital authority has ultimate responsibility for the contract with the shredding service and for oversight of the contract.
The Privacy Commissioner found that the Hospital Authority had not conducted inspections nor ensured that individual hospitals under its authority monitored or inspected the shredding service. He concluded that the Hospital Authority had violated Data Principle 4 of the Ordinance by not ensuring that all reasonable and practicable steps had been taken to protect patient data from accidental access.
There was no monetary penalty involved in the enforcement action, but the report notes changes the Hospital Authority agreed to make as a result of the incidents and findings.