25

PCPD News

私隱專員公署通訊

•

Issue no. 29

不妥善地棄置載有病人紀錄的醫院廢料

Data Breach: Improper Disposal of Hospital Wastes

Containing Patient Records

公署指醫院管理局（「醫管局」）處理載

有病人紀錄的醫院廢料失當，違反保

障資料第

4

原則（資料保安），逐指令醫

管局採取糾正措施，並加強保障病人

的個人資料私隱 。

傳媒於

2012

年

6

月和

9

月分別報道有市民

在密件處理服務有限公司（下稱「密件處

理公司」）的粉嶺碎紙廠外，發現博愛醫

院的一卷用過的打印用碳帶，及聖母醫

院一批病人預約回條紙碎遭棄置街頭。

該批廢料載有病人的姓名、性別、年齡

╱出生日期及身份證號碼等個人資料。

密件處理公司由

2009

年起承辦醫管局的

廢料處理服務。

私隱專員在條例之下無權直接規管分判

的資料處理者（承辦商）的行為，而只能

靠資料使用者用合約或其他規範方式，

促使承辦商遵從條例相關規定。公署在

是次主動調查中發現兩大問題：

1.

合約在碳帶處理上存有疏漏，沒有

列明需要點算裝有碳帶的回收袋，

以防在運送過程中遺失；亦沒有訂

明碳帶應切碎的程度以保證當中的

個人資料不能被識別或還原。

2.

醫管局及其轄下的醫院沒有執行合

約條款有效地監察密件處理公司的

碎紙過程。醫管局總部否認他們有

責任統籌監督轄下醫院的視察工序；

醫管局亦從未檢視各醫院的視察報

告，或透過審計途徑更全面和深入

檢核醫院廢料處理的工序。

私隱專員已發出執行通知，指令醫管局

(1)

取回在事故中的棄置醫院廢料，並予以

銷毀；

(2)

檢討和修訂醫院廢料棄置程序。

蔣任宏強調：「這事故帶出一個訊息：

經常保障個人資料的重要。即使機構持

有的個人資料在機構以外的地方或外判

予第三者處理，機構保障個人資料的責

任依然存在。密件處理公司作為醫管局

的承辦商，處理病人資料的表現極不理

想。而醫管局在合約和程序方面對密件

處理公司的監督不力，實地監察的表現

亦強差人意。」

閱覽調查報告：

www.pcpd.org.hk/

english/publications/files/R13_6740_e.pdf

The Hospital Authority (“HA”) has been

served an enforcement notice following

a breach of the Data Protection Principle

4 (data security) for improper disposal of

hospital wastes containing the personal

data of patients.

It was reported in the press in June

and September 2012 respectively

that a roll of used printer ribbon from

Pok Oi Hospital and shredded strips

of medical appointment slips from

Our Lady of Maryknoll Hospital were

found abandoned on the street outside

a shredding factory of Confidential

Materials Destruction Limited (“CMDS”)

in Fanling. The wastes contain personal

data of patients such as their names,

genders, ages/dates of birth and identity

card numbers.

CMDS has been appointed as the waste

disposal service provider of the HA since

2009.

Under the Ordinance, where a data user

outsources the work of data processing,

Privacy Commissioner has no authority

to regulate directly the work of a data

processor (contractor). The onus is

on the data user to use contractual or

other means to secure its contractor’s

compliance with the Ordinance.

The PCPD’s self-initiated investigation into

the two incidents have revealed two key

issues:

1. Contractual omission. There is no

contractual requirement that the

number of bags of thermal ribbon

waste is checked to prevent accidental

loss during transit, or that the waste

is shredded to the extent that the

personal data contained therein

could not be readily recognised or

recovered.

2. Inadequate supervision of contractor.

Neither HA Head Office nor the

hospitals had exercised the right

provided by the contract to effectively

inspect the shredding process at

CMDS’ factory. HA Head Office

denied its responsibilities for centrally

monitoring the inspections and

had never reviewed the hospitals’

inspection reports. Moreover, HA had

not carried out any audit to which it is

entitled under the Contract to review

compliance throughout the whole

handling process of hospital wastes.

Privacy Commissioner has served an

enforcement notice on HA, directing it

to: (1) endeavour to retrieve and destroy

the abandoned hospital wastes identified

in the two incidents, and (2) review

and revise the hospital wastes disposal

process, and implement specified

improvement measures.

Privacy Commissioner stressed that

the breach illustrates the importance of

keeping personal data secure at all times.

An organisation’s responsibility to keep

personal data secure does not end when it

is taken out of the building or outsourced.

The unsatisfactory performance of CMDS

as HA’s contractor in the treatment of

hospital wastes containing personal data

is unacceptable, and the HA’s oversight

of CMDS’ performance, in terms of

contractual and procedural rigour as well

as physical supervision, is also far from

satisfactory.

Read the Investigation Report:

www.

pcpd.org.hk/english/publications/files/

R13_6740_e.pdf