Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2015C03

A hospital mistakenly disclosed the medical condition of a patient to the patient’s mother though it had been requested to keep it confidential – DPP4

The Complaint

After having been diagnosed with serious illness, the Complainant requested the hospital to keep his illness confidential. The hospital acceded to the request and recorded it on his chart board. However, the hospital’s nurse still called the Complainant’s mother and disclosed his medical condition to her.

The hospital explained that stemmed from the necessity of transferring the Complainant to the Specialty Ward of another hospital. The nurse-in-charge intended to call the Specialty Ward for arranging the transfer according to the data on the Complainant’s chart board. However, the nurse mistakenly dialled the emergency contact number (i.e. the telephone number of the Complainant’s mother) on another page of the chart board and disclosed the Complainant’s illness to the call receiver (i.e. the Complainant’s mother) without first confirming that the receiver was a medical staff member of the Specialty Ward.

Outcome

Patients’ medical records are highly sensitive personal data and must be handled with extra care. As the hospital in this case had not taken all the practicable steps to ensure that its patient’s personal data was protected against unauthorised or accidental use, the Commissioner held that the hospital had contravened DPP4.

In the course of investigation, the hospital had given a warning to the nurse and issued a written notice to all medical staff requiring them to check the correctness of the telephone numbers of the receivers and confirm the receivers’ identities before disclosing patients’ medical records over the phone in future. The Commissioner issued a warning to the hospital urging it to clearly communicate the above requirements to its staff, and take practicable steps to ensure staff compliance so as to enhance staff’s compliance with the personal data protection under the Ordinance.

(Uploaded in September 2016)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :