ICO Warns NHS Over Ongoing Data Breaches

The NHS continues to live up to its poor reputation concerning the protection of patient data, after the Information Commissioner’s Office (ICO) reprimanded another five NHS health bodies for breaching the Data Protection Act (DPA).

The ICO has also warned the NHS in general that it must do more to prevent data breaches in future.

“The health service holds some of the most sensitive personal information of any sector in the UK,” said Information Commissioner, Christopher Graham. “Millions of records are constantly being accessed and we appreciate that there will be occasions where human error occurs. But recent incidents such as the loss of laptops at NHS North Central London – which we are currently investigating – suggest that the security of data remains a systemic problem.”

“The policies and procedures may already be in place but the fact is that they are not being followed on the ground,” he said. “Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number.

“The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. Complying with the law needn’t be a day-to-day burden if effective measures are built in and then become second nature.”

More NHS Breaches

“My office is working with Connecting for Health to identify how we can support the health service to tackle these issues,” he added.

His comments come as the ICO once again slapped five NHS health bodies for losing customer data.

This includes Ipswich Hospital NHS Trust, which in February managed to misplace 29 patient records after a member of staff took them home to update a training log and then lost the records. The information, which included sensitive personal data relating to operations carried out on patients, was subsequently recovered.

In the same month Dunelm Medical Practice in Durham sent discharge letters about two patient’s routine operations to the wrong recipient.

The ICO has also received further undertakings about tackling data breaches from the East Midlands Ambulance Service NHS Trust, Lancashire Teaching Hospitals NHS Foundation Trust, and Basildon and Thurrock NHS Trust.

NHS Ignorance?

Data breaches within the NHS are a depressing familiar story. Back in June last year for example, the ICO published a list of the 1,000 data breaches reported since 2007. It found that the NHS was responsible for 305 of the 1,007 reported breaches, almost a third of all recorded data breaches in the United Kingdom for the last three years.

And the cycle shows no sign of stopping either. Earlier this month for example researchers for London Health Programmes revealed that they had lost unencrypted records of 8.63 million NHS patients.

Last October Healthcare Locums Plc breached the Data Protection Act when it lost a hard disc drive (HDD) that contained personal data of the doctors it employed, such as their security clearances and visa information.

In May 2010 a NHS worker in the secure mental health unit of a Scottish hospital was suspended, after losing a USB stick containing patients’ medical records.

Therefore in an effort to help the NHS deal with data loss, the ICO produced guidance for health organisations explaining their obligations to keep the personal information they handle secure, as well as giving advice on the security measures that must be in place.

It also carried out a number of audits with health organisations to help them identify ways in which they can improve their handling of personal information.