Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2022DB02

Unauthorised photo-taking in a hospital – DPP 4 – security of personal data

Background

A hospital reported to the PCPD that a research staff from a university had attended a ward and an operating theatre for surgery observations. Even though “No photo taking” signs were posted on the walls of the ward and the operating theatre, the staff took photos and shared them with others via an instant messaging app. One of the photos showed the names, HKID Card numbers, gender, age and brief operation details of seven patients. The research staff stated that he was not aware that his act of photo sharing had inadvertently disclosed patients’ personal data.

Remedial Measures

Upon receiving the notification from the hospital, the PCPD initiated a compliance check and provided recommendations to the hospital to ensure compliance with the provisions of the PDPO. The hospital requested the university to remind its staff members to observe the guidelines of the hospital when they entered the clinical areas of the hospital. The university promulgated a new set of guidelines for the proper handling of patients’ personal data and sensitive information. It explicitly prohibited photo taking at any wards or operating theatres as well as uploading and sharing of photos or text messages containing patient data through social media platforms or instant messaging app.

Lesson learnt

Patient’s data are sensitive personal data which should be afforded a high degree of protection. To this end, organisations handling patients’ data should formulate clear data protection guidelines, in which practical examples relevant to their operations could be included to better illustrate what may constitute violations of the guidelines. Adequate staff training should be provided to instil a data protection mindset in staff and remind them to give due consideration to the established protocols on the proper handling of patients’ personal data.

(Uploaded in February 2023)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :