ODPC Issues Enforcement Notice Against Hospital for Sharing Patient’s Details
The Office of the Data Protection Commissioner (ODPC) recently issued a determination arising from a complaint over the unlawful processing of patients’ personal data at Swaminarayan Hospital.
Background
The Complainant alleged that, after visiting the Respondent’s hospital for medical consultation and laboratory testing, she received laboratory results that did not belong to her. The results related to an unknown third party.
As part of the investigations, the Data Commissioner requested the Respondent to provide: –
- A formal reply addressing the claims made by the complainant.
- Any relevant materials or documentation to support the hospital’s response.
- The lawful bases relied upon to process the Complainant’s personal data.
- Demonstration of the hospital’s adherence to the principles outlined in section 25 of the Data Protection Act.
- A written declaration showing how the hospital complies with the Act and its regulations.
- Details of any measures adopted or being adopted to address the complaint and prevent future breaches.
The Hospitals
Response The Respondent stated that the Complainant’s sample was properly labelled, processed and securely stored and maintained that there had been no unauthorised access to her personal or biological data. Further, the Respondent attributed the incident to a clerical or routing error during the communication stage, which led to the wrong laboratory report being sent to her by email.
The Respondent expressed regret for the inconvenience caused to the Complainant and noted that the incident had provided an opportunity to strengthen its internal safeguards. They added that the matter arose from an administrative mismatch and did not involve unauthorised access or disclosure of the Complainant’s personal data.
Determination
- Section 2 of the Data Protection Act defines health data as” data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the data subject to the provision of specific health services.” Further, under the same section, sensitive personal data is defined to include health data.
- Section 44 of the Act provides that no category of sensitive personal data shall be processed unless section 25 [principles of data protection] applies to that processing. Further, Section 46 (1) further provides that personal data relating to “health may only be processed by, or under the responsibility of a healthcare provider or by a person subject to the obligation of professional secrecy under any law.”
- The Respondent admitted that it sent the Complainant inaccurate laboratory test results due to a clerical or routing error. In doing so, its employees were processing patients’ lab results, which constitute sensitive personal data.
- Under section 44 of the Act, the Respondent was required to process the Complainant’s data in accordance with the principles set out under section 25 (a) and (f) of the Act. Specifically, they were mandated to process the data accurately.
- The Respondent violated section 25 (a) and (f) as read with section 44 of the Act to the extent that it did not send the Complainant accurate laboratory test results. The Respondent also abrogated its responsibility over the Complainant’s health data as envisioned under section 46 of the Act.
- Consequently, the Data Commissioner issued an Enforcement Notice against the Respondent for failing to comply with the provisions of the Act.
