The Norwegian Data Protection Authority’s inspection of Oslo University Hospital (OUH) reveals that the hospital cannot document satisfactory control of patient data when the hospital needs laboratory services from other countries.
The Data Protection Authority understands that it is important to be able to use laboratories in other countries when the hospital or other Norwegian laboratories do not have the necessary expertise to perform analyses required to provide patients with the medical help they need. The hospital therefore sends out blood samples or other biological material and patient data for analysis at laboratories located in other countries, both within and outside the EEA. This affects approx. 8,000 patients a year.
Nevertheless, this need for outside assistance does not exempt the hospital from its responsibility of ensuring safe and appropriate processing of biological samples and patient data.
The Data Protection Authority concluded that the hospital has failed to establish appropriate agreements to ensure correct handling of the hospital’s duties and protection of the patients’ rights, among other things because the hospital has failed to conclude data processing agreements with laboratories.
In its most recent response to the Data Protection Authority’s preliminary inspection report, the hospital says it will address the problems revealed in the report. The hospital plans to assign responsibility for all use of foreign labs to a dedicated hospital unit, and plans to conclude agreements with foreign labs to ensure that all patient data and the patients’ biological material are processed in accordance with relevant legislation.
“These are positive signals from Oslo University Hospital,” says Bjørn Erik Thon, Director of the Data Protection Authority. “Clear assignment of responsibility and clear agreements are important for personal data protection and information security.