Medical students' knowledge of data protection legislation

Medical confidentiality derives from the Hippocratic Oath and has been affirmed in most codes of professional conduct, including the Irish Medical Council's guide to professional conduct and ethics. The Irish Data Protection Act 1988 and Amendment 2003 bring this responsibility into a legal forum. The aim of this audit is to assess how comprehensively medical tutors/consultants instilled knowledge and appreciation of confidentiality and data protection to medical students in a prominent Dublin University Hospital.

Breaches in data protection legislation by final year medical students were identified by means of a questionnaire. Changes were made to the curriculum (presentations, notices on students' e‐learning interface and induction manual) and to the exams in psychiatry, to increase awareness of data protection legislation. Students at the same point in their education were re‐assessed one year later to see if the interventions were helpful in increasing knowledge and improving adherence to data protection legislation.

Significant breaches of the data protection legislation at baseline and follow up were identified. Examples include: “Data shall be kept for one or more specified, explicit and legitimate purposes” – when asked if they would inform patients that assessments were for submission of a case report, 44 per cent at baseline and 56 per cent at follow‐up said yes. “Appropriate security measures shall be taken against unauthorised access” – 52 per cent password‐protected their computer at baseline and 59 per cent did at follow‐up. Of those that had no password protection at baseline, 70 per cent of their computers were used by others, with little change in this at follow‐up (68 per cent). At baseline 52 per cent kept a copy of reports on USB devices compared to 46 per cent at follow‐up. 26 per cent admitted to losing a USB device in the past. “Data should not be kept longer than is necessary for that purpose” – 63 per cent admitting keeping electronic copies of case reports on their computers following submission at baseline and 64 per cent at follow‐up. “Data should be made anonymous” – 96 per cent at baseline and 100 per cent at follow‐up used initials when submitting case reports to make the data anonymous.

What was disappointing was that, while knowledge and awareness of obligations under data protection legislation improved following intervention, breaches in compliance still remained.

This is the first such audit in Ireland on the provision of educational training in the area of data protection legislation to medical students. It is likely that that such breaches by medical students reflect the tip of the iceberg in relation to probable breaches amongst registered healthcare professionals. The challenge now facing the medical profession and healthcare services is to effect behavioural change to improve compliance with data protection legislation.