The NHS continues to live up to its reputation for being the worst institution for protecting confidential data, following a fresh reprimand from the Information Commissioner’s Office (ICO).
In its latest adjudication, the ICO found that the University Hospital of South Manchester NHS Foundation Trust had breached the Data Protection Act (DPA) by losing sensitive personal information relating to the treatment of 87 patients.
It seems the data loss occurred when a medical student – who had been on a placement at the hospital’s Burns and Plastics Department – copied data onto a personal, unencrypted memory stick for research purposes.
The memory stick was then lost by the student during a subsequent placement in December last year.
The ICO said that its investigation had found that the hospital had automatically assumed that the student had received data protection training at medical school, and therefore did not provide medical students with the induction training given to its own regular staff.
“This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature,” said Sally Anne Poole, Acting Head of Enforcement at the ICO. “Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations.”
“NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job,” she said.
The ICO has again opted not to issue a fine, but said that the hospital has agreed to take significant steps to ensure that the personal information accessed by students working at the hospital is kept secure. This includes making sure all students are aware of data protection policies.
“While we are pleased that the University Hospital of South Manchester has taken action to avoid this oversight in the future, we will continue to work with healthcare bodies and education prov
Meanwhile the ICO has received a further undertaking from the London Ambulance Service, which breached the DPA after a personal laptop was stolen from a contractor’s home.
The laptop contained contact details and transport requirements relating to 2,664 patients who had previously used the Patient Transport Service. The Trust has now taken action to ensure that contractors are made aware of its existing policy on the use of personal data, which states that staff should not store patients’ information on their personal computers.
Data breaches within the NHS are a depressingly familiar story.
Back in June last year for example, the ICO published a list of the 1,000 data breaches reported since 2007. It found that the NHS was responsible for 305 of the 1,007 reported breaches, almost a third of all recorded data breaches in the UK for the last three years.
And the cycle shows no sign of stopping.
In July researchers for London Health Programmes revealed that they had lost unencrypted records of 8.63 million NHS patients.
Last October Healthcare Locums Plc breached the Data Protection Act when it lost a hard disc drive (HDD) that contained personal data of the doctors it employed, such as their security clearances and visa information.
In May 2010 a NHS worker in the secure mental health unit of a Scottish hospital was suspended, after losing a USB stick containing patients’ medical records.
In an effort to help the NHS deal with data loss, the ICO produced guidance for health organisations explaining their obligations to keep the personal information they handle secure, as well as giving advice on the security measures that must be in place.
It also carried out a number of audits with health organisations to help them identify ways in which they can improve their handling of personal information.
British regulator invites feedback on major partnerships Microsoft and Amazon have struck with smaller AI…
Another 20 staff have been fired by Google over Israel protest and their “completely unacceptable…
Censorship row brewing down under, after the Australian Prime Minister calls Elon Musk an 'arrogant…
Financial regulator asks New York judge to impose $5.3 billion in fines against Terraform Labs…
Lightweight artificial intelligence model launched this week by Microsoft, offering more cost-effective option for Azure…
ByteDance protest falls on deaf ears, as Senate passes TikTok ban or divest bill, with…
View Comments
http://bit.ly/nR7qBj This link here is a free guide to managing mobile device risk, specifically for the healthcare industry. I think with the paranoia of hackers, IT managers in hospitals tends to focus solely on firewalls and encryption. Where they should really not forget physical security of their laptops, which hundreds of employees use. Something as simple as using a laptop lock could prevent up to 40% of thefts. And another study by Data Loss DB found that device theft was the leading cause of data breaches.