Chief executives of various hospital clusters will be held responsible and accountable for the protection of such data as part of the plan.

Chief information officer Andre Greyling said cluster chiefs will face certain procedures but stopped short of mentioning specific disciplinary action should there be further leakages.

The decision to plug loopholes in the system follows 26 recommendations by an independent task force designed to improve the authority's organizational structure, staff awareness and technology on protecting patients' privacy.

ADVERTISEMENT

The four-member task force was set up after some of the personal information of 16,000 patients at five public hospitals and an outpatient clinic were leaked in 10 incidents between April last year and May this year.

Former privacy commissioner for personal data Stephen Lau Ka-men, who chaired the task force, said putting information security and privacy into the performance objectives of the cluster chief executives was necessary.

"There is a need for some kind of accountability from the chief executives. The authority is treating a lot of data with very high sensitivity," he said.

The cluster chiefs should also be required to make an annual information security and privacy report, he added.

All the recommendations were endorsed at a board meeting yesterday.

The authority's chief medical information officer, Cheung Ngai-tseung, said some measures had already been taken, such as acquiring advanced USB drives for staff use, reminding all staff to handle patients' personal data carefully, installing encryption software on all computers and making reporting of data-leakage incidents mandatory.

Another 19 action plans will be carried out within the next 1 to two years.

A data security and privacy office will be established to coordinate and oversee the implementation of information security and privacy measures in all public hospitals.

Staff awareness programs and technology measures will also be conducted.

"The principles are to minimize access to patients' data, minimize transport of patients' data, protect end-users' devices and monitor and audit the use of personal data," Cheung said.

He said medical staff will not be barred from taking home USB devices with patients' data, but will be encouraged to access the hospital's patients' data system via the existing Virtual Private Network system from their home computers.

The use of the patients' identity card numbers will also be reduced in cases such as research.