A special investigation of data protection practices at 20 hospitals across the State has identified a catalogue of concerns including sensitive patient records being left exposed in wards and a lack of privacy when staff are speaking to patients.

The probe by the Office of the Data Protection Commissioner also found evidence that computer terminals were being left unattended for long periods leaving patient data visible and that sensitive records were not being disposed of securely.

"I strongly urge every hospital to positively receive this investigation report and to embrace it as a very useful tool that will enable them to spot the significant data processing security risks that may permeate their facilities on a daily basis," said Assistant Data Protection Commissioner Tony Delaney, who led the audit.

"No similar data protection investigation on this scale across 20 hospitals has ever been undertaken in the State previously. As a result, several of the risks identified in the matters of concern are ones that may not have been pointed out before to the hospitals sector."

The investigation was carried out last year and examined practices in 20 HSE facilities, voluntary hospitals and private facilities.

The hospitals, including the Mater, St Vincent's, Beaumont, the National Maternity Hospital in Dublin and Cork University Hospital, are identified in the report, although specific issues are not linked to individual facilities.

It examined the processing of sensitive personal data in departments and areas of the hospitals to which patients and the public have access.

In particular it focused on the circulation and journey of patient records and medical files in an attempt to indentify shortcomings in obligations to keep personal data safe.

It found similar problems arose in many of the hospitals that were inspected.

The investigation found there is scope for much greater security controls with regard to Medical Records Libraries in hospitals.

In particular it discovered controls restricting access to the library were lax, only a small number of hospitals have a means to record staff access to such libraries and there was a variety of practices employed around after hours staff access and accountability for chart removal across facilities.

The probe also found most hospitals had no alert system for charts that had been removed but not replaced.

The report also expresses concern about patient charts being transported in open-top trolleys because of the high risk of staff in control of the trolley being distracted in busy public areas.

On the issue of security, the report flags concerns about security features on computer workstations and in relation to the handling and storage of patient charts.

In particular, the inspectors found areas of weakness in relation to access controls on some doors leading to restricted areas, as well as personal data visible on computer screens viewable by passers-by.

Unattended computer screens were also left open for lengthy periods of inactivity, leaving personal data exposed, while patient files were stored in unsecure filing cabinets.

See through plastic holders mounted on walls were also used to store patient information while patient charts were left on shelves or tables outside consultation rooms.

In one hospital, outgoing postal correspondence to patients was left in unsecured wire trays in an unprotected environment while awaiting collection by porters.

The storage of patient observation charts in hospital wards was also noted and concern was expressed by the inspectors about how in isolation wards these charts are often hung on a wall rail outside the room, usually in a corridor area.

In wards patient charts are also stored in chart trolley bins and the investigators noted cases where unlocked trolley bins were parked outside nurses’ stations with the charts accessible by passers-by.

The storage of waste paper is also highlighted as a problem, with unsecure bins, bags or trays used in many hospitals the authors noted.

There was also no evidence that any of the hospitals monitor compliance with standard procedure for accounting for the disposal of "handover lists" that are often compiled by nurses and stored in their uniforms during their shifts.

Fax machines are also in widespread use in hospitals, the report notes, despite the availability of encrypted email as an alternative.

The authors say this leaves open the risk of the wrong number being typed in during dialling.

Speech privacy was also a problem, the probe found, with private conversations between patients and hospital staff often carried out in places where others could overhear the details.

In particular this was an issue at reception desks and in the cubicles of emergency departments.

The risk of snooping staff or others "blagging" accessing patient data in an unauthorised manner, and this not being detected, is also highlighted.

This is a consequence of audit trails not being fully present in every hospital record system.

A lack of efforts to raise awareness of data protection obligations among staff and patients was also noted.

In particular, inspectors found patient information in one hospital could be accessed by other hospitals, but often patients were not told this.

The authors also found in one hospital that medical staff were being allowed examine patient charts for research purposes, but patients had not given their consent for this.

Risks were also identified around the processing of private health insurance information in hospitals.

Given the risk of sensitive personal data of pregnant women being exposed to inappropriate access by third parties while the chart is in the possession of the expectant mother, the report questions the widespread practice of giving custody of the chart to the pregnant woman.

The length of retention of data by hospitals was also examined, with risks noted around the practice in many hospitals of retaining records indefinitely.

The report sets out 76 recommendations aimed at mitigating the risks identified.

In a statement this evening, the HSE said it welcomed the recommendations from the audit.

It said they are "helpful in prioritising the activities of our hospital colleagues in strengthening our data processing activities".

It added that a revised Data Protection Policy and a new Data Privacy Statement - informing patients, service users and staff of their rights and of how their personal data is processed - have been finalised.

It added that each hospital is working on implementing the recommendations.