A recent HSE internal audit report on hospital arrangements with DNA collection company Genomics Medicine Ireland (GMI) has noted “significant concerns about data protection compliance”, the Medical Independent (MI) has learned.
Last year, GMI rebranded as Genuity Science. The report was discussed at the HSE audit and risk committee meeting on 11 December, according to minutes seen by this newspaper following a Freedom of Information request.
A spokesperson for Genuity Science told MI it was “not invited to participate by the HSE in their internal audit and as yet, has not been provided with a copy of the HSE’s report. Accordingly, we are not in a position to comment further.”
“To date, there have been no changes in the arrangements between Genuity Science and the hospitals arising from this internal audit report.”
The spokesperson added that it had contacted the HSE regarding what the company described as some “misleading and inaccurate” statements in the minutes. According to the minutes, the HSE internal audit division was tasked by the committee to gather information from statutory and voluntary hospitals on their arrangements with GMI and the nature and governance of those arrangements.
This included adherence with data protection legislation, such as patient consent for the provision of personal data.
The committee decided to refer the report to the HSE executive management team (EMT) “to bring forward, at an early point, a plan to deal with the concerns raised in it”.
“This plan should cover the short-, medium-, and longer-term changes that are needed. Given the significant concerns about data protection compliance expressed in the report, the committee will ask the EMT to specifically address what can be done to address the near-term position.”
An Executive spokesperson told MI “work is underway to ensure the arrangements are compliant”.
According to minutes of the HSE audit and risk committee: “The committee noted that the report was prepared solely based on information provided by the hospitals in their responses to the information request and that the internal audit team did not carry out any verification exercises on the data received.”
The committee was further informed that as part of this report, HSE internal audit also “commissioned Deloitte to conduct an assessment on a sample of hospital documentation linked to their arrangements with GMI in terms of their compliance with the requirements under general data protection regulation (GDPR)”.
“During discussion of the report the prospect of suspension or other interruption of the operation of these arrangements was raised, until the HSE can satisfy itself that these arrangements are fully compliant,” outlined the minutes.
“In addition, the committee expressed the view that the HSE could benefit from some clarity about whether any data breaches have arisen (as opposed to potential non-compliances), as this carries with it reporting obligations with statutory authorities.”