BAILII is celebrating 24 years of free online access to the law! Would you
consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it
will have a significant impact on BAILII's ability to continue providing free
access to the law.
Thank you very much for your support!
[New search]
[Help]
In February, the Health Service Executive (HSE) reported to this Office a data security breach involving the disclosure of patient data to a third party. Documents which were faxed to the Assisted Admissions Services from a number of Mental Health Services were faxed to a private company in error. The company alerted the HSE to the issue, stating that it had received approximately 100 such faxes over a 3 year period. It had destroyed each fax as received but had not alerted the HSE to the issue until that point. The company stated that it had 20 such faxes in its possession which it had recently received and the HSE immediately organised to collect these documents from the company.
The HSE employs a third party company to provide assisted admissions services in certain geographic areas. The issue arose when staff incorrectly entered the wrong fax number when sending such faxes, dialling the Dublin area code number rather than the correct county code number.
This Office notified the HSE of its alarm at the fact that this type of breach was occurring, especially in light of previous communications with the HSE regarding the sending of sensitive data by fax. This Office had recommended a number of measures, including that the sender should first contact the recipient to expect the fax and that the sender should ensure that the fax number is dialled correctly. The HSE responded to this Office notifying that the investigation into the matter had been escalated to its National Incident Management Team. The HSE stated that it was pre-programming the number of the Assisted Admissions Unit into all relevant fax machines. Old fax machines were replaced and additional machines provided in areas that did not have specific access to a fax machine.
The issue had appeared to have been addressed when the HSE notified this Office in August of another such incident. The HSE notified this Office that the pre- programmed number on the relevant fax machine had disappeared from the pre-programmed number list. The HSE further informed us that it was now introducing a specific 1800 fax number for the Assisted Admissions Unit. It has also changed the number dialled to access an outside number from zero to nine, to reduce the risk of an individual mis-dialling a number. This Office also advised that a sticker with the fax number of the Assisted Admissions Unit be placed on each fax machine. The HSE policy document in relation to the use of fax machines has also been displayed beside each fax machine within the HSE.
We were disappointed that this issue arose in the first instance, especially in light of previous communications with the HSE, and to then have it reoccur during the year, after the HSE had introduced preventative measures. It is apparent that staff were not adhering to the procedures which had been introduced. This issue highlights that, while data controllers can put in place systems to address potential data protection matters, all staff must be properly informed of the procedures being introduced and adhere to them.
BAILII:
Copyright Policy |
Disclaimers |
Privacy Policy |
Feedback |
Donate to BAILII
URL: http://www.bailii.org/ie/cases/IEDPC/2012/[2012]IEDPC18.html