The purpose of this document is to demonstrate how the PIA process works and the format of a PIA Report. St. Anywhere’s hospital is fictitious and is not intended to represent any hospital and no such project has been proposed. Certain assumptions have been made around policies and processes for the purpose of compiling this report.
The privacy risks identified are as follows:
- medical professionals are bound by codes of conduct and owe a duty of confidentiality to service users. Each member of hospital staff has contractual obligations in relation to privacy. The external auditor may not be bound by these same codes of professional conduct, this may increase the risk of inappropriate disclosure of information
- due to change in practice the service users are not aware of proposed change in information practices and as such are not fully aware of how their information will be used. Service users have a right to know how their information is being used. Although implied consent is considered sufficient for clinical audit, service users need to be aware of this change in the clinical audit process and assured that appropriate safeguards to protect their privacy are in place
- the auditor may access additional patient healthcare records thereby accessing more personal health information than is necessary to complete the audit/unauthorised access to sensitive personal information. The risk in this instance is in relation to breach of access rights
- the auditor may use the information inappropriately, use it for secondary purposes or disclose it to another individual. Such misuse of information poses a risk to the privacy and confidentiality of service users and could result in the hospital being in breach of data protection legislation
- the auditor may know the service user whose record they are reviewing as part of the clinical audit process. Although this is a risk with the clinical audit process as it stands currently the service user could potentially be more uncomfortable with this proposal as the external auditor does not owe the same duty of confidentiality to the service user as a health professional.