Introduction
People’s right to personal privacy is recognised both by the Constitution of Ireland (Bunreacht Na hEireann 1937) and European legislations (European Union 2000). The Data Protection Acts (DPA) (2003) provide a legal framework that safeguards this basic human right and confers rights on individuals as well as placing responsibilities on those persons processing personal data. In the DPA, special consideration is given to certain categories of ‘sensitive data’ and hence is granted special protection. This ‘sensitive data’ include data on physical and mental health. Table 1 provides definitions to some of the key terminologies used in the DPA.
Table 1 Key terminologies used in the Data Protection Acts 1988 and 2003
The Code of Practice for Healthcare Records Management (The National Hospitals Office 2007) stresses the responsibility of each hospital in establishing and maintaining policies and procedures to ensure that patients are assured that their medical information is treated in confidence and not shared inappropriately. Maintaining patients’ confidentiality is considered not only an issue of professionalism but also a legal obligation. This document also recognises education and training and audit as key procedures in healthcare record management.
Conviction of an offence under the DPA may result in forfeitures or destruction of data material, fine up to €100 000 or subjectivity to civil sanctions by the person(s) affected in compensation for injury (defamation, breach of confidentiality or mental distress).
The DPA encompass eight principles regulating personal data handling. These include:
1. Fair obtaining and processing of information.
2. Keeping data only for specified and lawful purpose(s).
3. Processing data only in ways compatible with the purposes for which it was given initially.
4. Keeping data safe and secure.
5. Keeping information accurate and up-to-date.
6. Ensuring that data is adequate, relevant and not excessive.
7. Retaining data no longer than is necessary for the specified purpose or purposes.
8. Allowing subjects access to their personal data on request.
In compliance with the DPA, the hospital where this audit was performed adopted a data protection policy that recognises, in addition to the Hospital Board, all employees who collect, control the contents and/or use personal data as responsible for compliance with the data protection legislation.
Aims
The purposes of this audit are (1) to assess compliance with the DPA by the Department of Psychiatry in the hospital (2) to implement measures that are likely to maximise compliance with the hospital data protection policy (3) to close the audit cycle by assessing the impact of such measures on departmental compliance with the DPA over 5-month period.
Methods
Setting
The department audited is situated in a portable, one storey building attached to the main building of the hospital. It contains seven small offices shared by various medical and nursing staff, social workers and psychologists. A front office is used as a reception and secretary office and also to store files of patients awaiting reviews in the outpatient clinics. All offices are supplied with computer units with access to the hospital intranet and a shared folder for the department. Filing cabinets are available in all offices but many do not have keys or have been locked for undefined periods of time. One office is used by a separate mental health team and was not included in this audit.
Twice a week, a ‘common’ registrar office is used for clinical meetings. It contains a whiteboard on which details on inpatients under regular follow-up are written to facilitate communication between team members. Department offices are regularly used for patient review appointments, psychotherapy sessions and family meetings. However, the bulk of outpatient activities are performed in the designated, main hospital outpatient department.
The department is guarded by a swipe card entry system and keys. The door is opened around 08:00 a.m. by security staff and locked in after 06:00 p.m. A small side door leading to outside lawns and car park is maintained open during this period as a fire exit. Each office has a key that is kept in a common place for all staff use.
Study instruments
A checklist on data protection policy was used to determine areas that needed to be audited and also to compile two separate data collection forms. This checklist was developed by the Office of the Data Protection Commissioner as part of their proposed data protection audit resources (Office of the Data Protection Commissioner 2009) and it summarises different elements of the DPA. Using this checklist, two data collection forms were developed:
1. An individual, anonymised staff questionnaire on data collection practices, procedure of disclosure of data to third parties (i.e. any person who is neither the data controller nor the data subject), previous training and readings on the DPA and awareness of the role of the Data Protection Officer in the hospital (Appendix 1).
All department staff (medical, nursing, psychology, social work and visiting staff) were asked to fill this questionnaire.
2. An inspection checklist with slots for day, date and time of inspection. This checklist includes digital and manual data security, data on screens and boards security and disposal of waste papers and printouts (Appendix 2).
Procedures
Regular inspections of the department offices were performed over a week period covering both ordinary working days and a weekend. Inspections were performed at four time bands thought to be mostly vulnerable: between 07:00 and 09:00 a.m., between 10:30 and 11:30 a.m. (coffee break time), between 01:00 and 02:00 p.m. (lunch break) and between 05:00 and 08:00 p.m. (after hours). A total of 14 inspections were performed over a period of 1 week. Staff members were not made aware of inspection times or areas audited. Twelve inspections were performed in ordinary week days and two inspections over a weekend day. Four inspections were performed before 09:00 a.m., four during lunch break and three episodes at each of coffee break time and after hours.
A scoring system was adopted counting the numbers of defaults to facilitate comparisons between different inspection times. Each office unit was counted as (one) default point on access to unattended manual files. If doors are locked but keys are readily available to ‘potential intruders’, default points were still counted. Each unattended and accessible (not logged off) computer unit was counted as (one) default point. Visible screen or whiteboard data through the windows was also counted as (one) default point. Accessibility to psychology or social work files by unauthorised staff was also counted.
Total number of default points for each inspection was calculated and recorded.
Intervention
Following the results of the baseline audit, areas of weakness were identified and suggestions on corrective interventions were made by multidisciplinary team. The intervention comprised a mixture of educational and practical measures:
(a) The audit findings were presented at the department’s academic meeting. Staff members watched a 17 minutes’ training video sourced from the Office of the Data Protection Commissioner for the purpose of training (My Data – Your Business 2005).New staff members joining the department were also asked to view the video. Members of the staff who were not present in the department meeting were briefed individually about the audit results and were supplied with the training video to view.
(b) We requested the Hospital Technical Services Division to cover the outer windows with a frosted coating, which allows light in but stops people outside from looking in.
(c) Old notes containing patients’ data not in use (e.g. photocopies of previous assessments) were shredded.
(d) Keys were obtained for filing cabinets where possible and staff members were encouraged to use them.
(e) Reminders were displayed on the walls to ensure doors and cabinets are locked when not attended to.
(f) The IT Department was contacted to re-set a timeout for computers when not in use. Periodical change of passwords was also suggested.
(g) A swipe card access control to the offices where files are likely to be kept was suggested to the hospital administration but was not sanctioned at the time of re-audit due to cost considerations. Secretarial staff agreed to lock the main office when they go on lunch or coffee breaks.
Re-audit
Five months later, a re-audit took place using the same methods.
Results
Staff training and data handling practices
Twenty-four staff members filled the questionnaire. This represented 95% of staff. The results obtained from this questionnaire before and after the intervention are shown in Table 2.
Table 2 Staff responses to audit questionnaire before and after intervention
a For staff members who are not involved in data collection (i.e. data processors).
Results for departmental inspections
The results obtained from departmental inspections before and after the intervention are shown in Table 3.
Table 3 Results obtained from departmental inspections before and after the intervention
Time of the day and vulnerability
Figure 1 plots the four time bands and the mean default points both pre-intervention, post-intervention and for the total.
Fig. 1 Plot of the four time bands and the mean default points both pre-intervention, post-intervention and for the total
Discussion
This audit demonstrates (1) significant unawareness of the DPA at baseline among staff members of a psychiatry department in a general hospital (2) lack of staff training on the DPA 1988 and 2003 and (3) the fact that, significant improvement can be achieved with brief low-cost interventions. The data in Table 3 shows the magnitude of data storage problem, particularly that of manual data. As management of manual files appears to constitute the biggest problem in this audit, moving towards electronic patients’ files may improve data security. Figure 1 shows the increased risk to stored data during daytime breaks (lunch breaks and coffee breaks) comparing with out of office hours. This phenomenon continues to a lesser extent post-intervention.
The interventions used to improve compliance with the DPA included a mixture of educational and practical measures and targeted the areas of weaknesses noted in the baseline audit as they appear in Tables 2 and 3. As a result, staff awareness of the requirements of the Act rose, which in turn lead to better adherence to recommended practices in data handling and storage (Fig. 1).
The lack of compliance with the DPA seen at baseline in this audit is consistent with previous studies involving final year medical students in a university hospital in Dublin (Naughton et al. Reference Naughton, Callanan, Guerandel and Malone2012) and surgical trainees in Northern Ireland (Mole et al. Reference Mole, Fox and Napolitano2006). In their audit on final year medical students compliance with the DPA, Naughton et al. suggested that widespread breaches of the DPA among registered healthcare professionals exist and described the findings on medical students as the ‘tip of an iceberg’ (Reference Naughton, Callanan, Guerandel and Malone2012). This audit confirms this hypothesis. In contrast to earlier findings (Naughton et al. Reference Naughton, Callanan, Guerandel and Malone2012), this study suggests some improvement in compliance with DPA as a result of a mixture of educational intervention and practical solutions.
An important strength of this audit is the use of objective inspections as well as self-reported questionnaires to assess staff compliance of the DPA and the evaluation of both staff state of knowledge about the DPA and everyday adherence to the DPA. Other strengths to this study are the inclusion of the whole multidisciplinary team and clerical staff in the assessment process, carrying out the inspections both during working days and over the weekends and inspecting the premises at staggering intervals during the day.
The most important limitation of this study lies in the fact that it does not show whether the improvement is noted in adherence to the DPA is sustainable on the long term or not. It also does not include in detailed information on digital data handling through USB drivers or data transmission outside formal hospital email system. However, the hospital’s digital data protection policy allows only encrypted external data drives on hospital computers. The use of external emails in data transfers is not monitored and remains an area for future audits.
Conclusions
A combination of educational and practical interventions including training of staff on the DPA resulted in overall improvement in compliance and reduction in default points. However, management of manual (physical) data proved to be more difficult and hence will need more input. Using electronic medical records may be a way forward to improve sensitive data security.
Recommendations
We recommend assigning a permanent member of the team to undertake the responsibilities of continuous monitoring of levels of compliance and assurance of training of new staff. Commonly known as the ‘Caldicott guardian’, such a provision has already been in place in United Kingdom for more than 2 decades following the publication of the Caldicott report on patient confidentiality issues in 1997 (Roch-Berry Reference Roch-Berry2003). As recommended by the Office of Data Protection Commissioner, periodical audits are needed to ensure long-lasting compliance. Further audits are needed to investigate the extent of the use of unsecured common emails in data transfer. We also recommend the inclusion of training on data protection in staff educational sessions on regular intervals.
Acknowledgements
The authors would like to acknowledge the participation of all staff of the Department of Psychiatry, Beaumont Hospital; we also wish to thank Professor Kieran Murphy, RCSI and Beaumont Hospital for reviewing an earlier draft of this paper.
Appendix 1 An individual staff questionnaire on data collection practices Please tick as appropriate:
Appendix 2 Department inspection checklist Date: _______________ Day: _____________ Time ________________ Total default points: _____________
