Information Commissioner warns NHS over putting patient data at risk
Printer friendly
The Royal Free Hampstead NHS Trust reported the loss of an unencrypted compact disk initially thought to contain medical treatment details of 20,000 patients from the hospital's cardiology department. The Trust has since reported to the ICO that it cannot be precise about the information contained on the disk.
Chelsea and Westminster Hospital Foundation Trust reported the theft of an unencrypted memory stick containing 143 patient details including sensitive medical information. The Trust believes that the information was stolen from an unlocked office that was being used as a walk-in clinic. The memory stick was not password protected or encrypted, and an employee had been taking it home for use on his personal computer.
It emerged that Epsom and St Helier University Hospital NHS Foundation Trust was storing hospital records insecurely for nearly two years following data being transferred between hospitals.
A ward handover sheet, containing information relating to 23 patients in the care of Surrey and Sussex NHS Trust, was found on a bus. The Trust also reported the theft of two laptop computers. Although they were kept behind three locked doors, they were not encrypted.
Hampshire Partnership NHS Trust informed the ICO about the theft of an unencrypted laptop computer holding the personal data of 349 patients and 258 staff. The laptop was stolen from an employee attending a health conference.
Some of the information was classified as sensitive personal data as defined in Section 2 of the Act. The NHS bodies have agreed to implement the appropriate security measures to ensure that personal details are properly protected by establishing physical safeguards, such as locking an office. Staff will be appropriately trained on the policy for storage and how to follow that policy. Laptops, mobile and portable devices held by The Royal Free Hampstead NHS Trust, Chelsea and Westminster Hospital NHS Foundation Trust and Hampshire Partnership Trust will be password protected and encrypted.
Sally-anne Poole, Head of Enforcement and Investigations at the ICO, said: 'These five cases serve as a reminder to all NHS organisations that sensitive patient information is not always being handled with adequate security. It is important that staff adhere to policies designed to protect individuals' sensitive information.
'Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them. Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands.
'The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal data is kept secure. These five organisations recognise the seriousness of these data losses and have agreed to take immediate remedial action.'
Failure to meet the terms of an Undertaking is likely to lead to enforcement action by the ICO.
The Royal Free Hampstead NHS Trust, Chelsea and Westminster Hospital NHS Foundation Trust, Epsom & St Helier University Hospitals NHS Trust, Surrey and Sussex Healthcare NHS Trust and Hampshire Partnership NHS Trust have all signed formal Undertakings outlining that they will process personal information in line with the Data Protection Act.
Anyone who processes personal information must comply with eight principles, which make sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection
Related links to this article:
Information Commissioner's Office
A copy of the Undertakings can be downloaded from this link
- Login or Register to comment
- Add to a social bookmarking site
Editor's Manifesto: Tales of the entirely expected
"Several weeks into the new era of Coaltiion Government and certain key themes are emerging. First up, it's clear that the battle of the 'who can get their memoirs out the door quick enough to steal a march in the revisionist history stakes' has been triumphantly won by M'Lord Mandelson (Weren't those TV ads scary – the velvet smoking jacket, the leather fireside chair, all that Brillcream! The only thing missing was the theme tune to Tales of the Unexpected and the accompanying prancing sillouette of Harriet Harman or Diane Abbott dancing!)” Read more
The Dispatch Box: Data quality and the public sector
Colin Rickard, managing director EMEA at SAS subsidiary Dataflux, argues public sector data must be of high quality if the efficiencies promised with ICT and infrastructure is to be realised.
"Tackling the public sector’s data integration and data quality challenges is a tough prospect. The challenge may require more effort than a comparative project in a large private company. Data must be governed according to a strategy that necessitates bringing interested parties together.” Read more
Innovation: A step too far in the austerity age?
Complete and enter our draw to win a free seat at the e-Government Awards. The public sector is already perceived to be lacking in innovation, but is that a fair assessment, and what role could it play in helping the government meet efficiency targets? What do people working on the frontline of ICT in public sector organisations think? Take part and share your views
James Gardner, CTO at the Department for Work and Pensions discusses his thoughts on innovation in the public and commercial sectors.
Source: K2 Advisory