HSE cited over lax data securityThursday 08 April 2010 20.02
Data Protection Commissioner Billy Hawkes has called on the Health Service Executive to make improving the security of its systems for transferring patient data a top priority.
Click here to read the full report
In his annual report for 2009, Mr Hawkes also expressed concern at, what he called, ‘the reluctance of some State bodies to take sufficient account of data protection issues.’
Last year, over 900 complaints were formally investigated by the Data Protection Commissioner, continuing the previous year's slight downward trend.
However, at 120, reported data security breaches were up 50%.
The Commissioner says that while legal enforcement notices were generally not necessary, of the four issued which have not been appealed, two of them were to Iarnród Éireann.
The report found that Bord Gáis had inappropriate security measures on a laptop computer - containing records relating to customers - which was stolen last year.
A similar finding was made in relation to the HSE following the theft of an unencrypted laptop.
The HSE was also cited by the Data Commissioner last year, prompting him to make what he calls ‘extensive and demanding’ recommendations.
These include the HSE taking responsibility for encrypting laptops, rather than asking individual staff members to do so, and ensuring patient data is stored only on devices owned by the HSE.
The Commissioner notes that due to an exemption for politicians, he could not investigate the large number of complaints concerning the sending of unsolicited text messages in the run-up to the local elections last year.
The report also found that motor tax offices are increasingly being asked to provide information on drivers to third parties.
Insurance company Quinn Direct was directed to cease requesting details of penalty points for the previous five years from potential customers when - by law – points only stay on a licence for three years.
The company ‘stated that its quotation process would be revised to ensure that details on penalty points would only be requested for the previous three years.’
An airline was also found to have breached regulations in providing details of a female passenger's travels to the woman's husband's employer, leading to the husband losing his job.
The HSE has said it takes its data protection responsibilities 'very seriously' and will review the DPC report.
In a statement it said: 'The HSE has and will continue to work closely with the Data Protection Commissioner and have kept him informed at all times about all data protection issues with regard to the HSE.'