NHS Takes Action Over Data Security

The NHS has received a letter of warning from the UK’s Information Commissioner over a spate of recent data breaches concerning patients’ records while other reports suggest patients will be able to delete their own records if they choose.

The office of the UK’s Information Commissioner (ICO) Richard Thomas has confirmed that a letter has been sent to the Department of Health asking the organisation to tighten up policy on the control of patient information. The letter will be backed up by spot-checks on hospitals to make sure they are complying with data protection regulations, the ICO has said.

The NHS confirmed that it had received the letter and would be making every effort to comply with data protection regulations.

But according to reports in the Guardian, those patients who are not satisfied with the NHS’ ability to protect their data will be allowed to delete some electronic record information from a national medical database.

If the reports are accurate, the move will represent a u-turn by the NHS which has previously claimed that the cost of deleting individual summary care records (SCRs) would be too much. The NHS did not respond at time of writing.

Commenting on the move, Gayna Hart, managing director of IT consultants Quicksilva said that it wasn’t surprising some patients were concerned about data protection but said electronic patient records could be made secure with the right policies.

“Given previous government data breaches, it is understandable that people are worried about who sees their record. One way to ensure the correct level of confidentiality is by establishing a legitimate relationship between the patient and the person viewing the patient’s record,” she said. “This can be tackled by developing workgroups of staff dealing with the patient. For example, the majority of medical staff do not need access to your record, but the GPs and nurses in your own practice clearly do”

Last month, the ICO released a statement naming several hospitals which it said had breached data protection regulations and were now taking action to improve their information security and reminded that the NHS that is has to respect data protection rules like any other organisation.

“It is a matter of significant concern to us that in the last six months it has been necessary to take regulatory action against 14 NHS organisations for data breaches. In these latest cases staff members have accessed patient records without authorisation and on occasions, have failed to adhere to policies to protect such information in transit,” said Mick Gorrill, assistant Information Commissioner at the ICO.

The hospitals named by the ICO included the Cambridge University Hospital NHS Foundation Trust, Central Lancashire Primary Care Trust, North West London Hospitals NHS Trust and Hull & East Yorkshire Hospitals NHS Trust. “The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. These four organisations recognise the seriousness of these data losses and have agreed to take immediate remedial action,” said Gorrill.

One of the main actions to be taken by the hospitals was to encrypt “all portable and mobile devices used to store and transmit personal data”.”There is little point in encrypting a portable media device and then attaching the password to it,” added Gorrill.

The incident at Cambridge University Hospital NHS Foundation Trust involved the loss of an unencrypted memory stick containing medical treatment details of 741 patients. The stick was lost after a member of staff left it in an unattended car. The stick was discovered by a car wash attendant who was able to access the contents to find out who it belonged to. The Trust claimed the information was downloaded without its knowledge.

“Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them,” added Gorrill. “Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands. Ultimately, the organisations risk losing the confidence of patients and their families.”