Grampian NHS to improve security after breaching the Data Protection Act
Printer friendly
The ICO has found Grampian NHS in breach of the Data Protection Act after receiving reports of three separate incidents involving data security. A senior nursing manager inappropriately emailed 50 staff with sensitive personal details relating to a patient. Lack of secure storage on the labour ward enabled someone to remove the personal details of 200 patients from a confidential waste sack. Finally, a laptop containing details of patients in the gastroenterology clinic was stolen from a locked office. The laptop was not encrypted and contained personal data on 1500 patients with a particular disease.
The ICO has discovered that staff, patients and visitors could have had access to confidential waste, and that many staff have not been aware of the correct procedures for disposing of such material. It is also now clear that some staff have been using home computers for work-related tasks involving personal information and using USB sticks to transfer the work, contravening the organisation's own policies and procedures.
Ken Macdonald, Assistant Information Commissioner – Scotland, said: 'Details about people's physical and mental health are sensitive personal data. It is vital that organisations handle personal information securely, especially where patients' details are concerned. NHS Grampian will be taking a number of steps to improve data security to ensure that it complies with the Data Protection Act.'
The data controller shall, as from the date of the Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:
(1) Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent;
(2) Any personal data stored on portable devices or media is backed up to the data controller's network server on a daily basis, or at least at the end of every day on which changes have been made to the personal data. Confirmation of the success of each backup attempt is to be obtained from the IT department and any failure corrected without delay, or the device securely stored pending completion of a successful backup;
(3) Physical security measures are adequate to prevent unauthorised access to personal data;
(4) Staff are aware of the data controller's policies for the storage, use and disposal of personal data and are appropriately trained how to follow those policies;
(5) The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
Anyone who processes personal information must comply with eight principles, which make sure that personal information is:
a) Fairly and lawfully processed
b) Processed for limited purposes
c) Adequate, relevant and not excessive
d) Accurate and up to date
e) Not kept for longer than is necessary
f) Processed in line with your rights
g) Secure
h) Not transferred to other countries without adequate protection
- Login or Register to comment
- Add to a social bookmarking site
Editor's Manifesto: Tales of the entirely expected
"Several weeks into the new era of Coaltiion Government and certain key themes are emerging. First up, it's clear that the battle of the 'who can get their memoirs out the door quick enough to steal a march in the revisionist history stakes' has been triumphantly won by M'Lord Mandelson (Weren't those TV ads scary – the velvet smoking jacket, the leather fireside chair, all that Brillcream! The only thing missing was the theme tune to Tales of the Unexpected and the accompanying prancing sillouette of Harriet Harman or Diane Abbott dancing!)” Read more
The Dispatch Box: Data quality and the public sector
Colin Rickard, managing director EMEA at SAS subsidiary Dataflux, argues public sector data must be of high quality if the efficiencies promised with ICT and infrastructure is to be realised.
"Tackling the public sector’s data integration and data quality challenges is a tough prospect. The challenge may require more effort than a comparative project in a large private company. Data must be governed according to a strategy that necessitates bringing interested parties together.” Read more
Innovation: A step too far in the austerity age?
Complete and enter our draw to win a free seat at the e-Government Awards. The public sector is already perceived to be lacking in innovation, but is that a fair assessment, and what role could it play in helping the government meet efficiency targets? What do people working on the frontline of ICT in public sector organisations think? Take part and share your views
James Gardner, CTO at the Department for Work and Pensions discusses his thoughts on innovation in the public and commercial sectors.
Source: K2 Advisory