Christopher Graham, the Information Commissioner, has issued five health organisations with Undertakings following their failure to keep sensitive personal data secure.
In February 2011, Ipswich Hospital NHS Trust misplaced 29 patient records after a member of staff took them home to update a training log. The sensitive personal data relating to patients operations was, however, subsequently recovered. Mandatory data protection training for all relevant staff was introduced by the Trust.
Again in February 2011, Dunelm Medical Practice in Durham missent discharge letters about two patient’s routine operations to the wrong person. Staff failed to notice they had entered a fax number incorrectly and they were sent to a third-party organisation. They alerted County Durham and Darlington NHS Foundation Trust who advised them to destroy the documents. Dunelm Medical Practice has now agreed to send Electronic Discharge Letters by secure email and fax them only in exceptional circumstances. They will also programme their fax machine with regional branch numbers to ensure there is better protection for the future.
Further undertakings have been signed by East Midlands Ambulance Service NHS Trust, Lancashire Teaching Hospitals NHS Foundation Trust and Basildon and Thurrock NHS Trust.
The Commissioner went on to say; “The health service holds some of the most sensitive personal information of any sector in the UK. Millions of records are constantly being accessed and we appreciate that there will be occasions where human error occurs. But recent incidents such as the loss of laptops at NHS North Central London – which we are currently investigating – suggest that the security of data remains a systemic problem. The policies and procedures may already be in place but the fact is that they are not being followed on the ground. Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number. The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. Complying with the law needn’t be a day-to-day burden if effective measures are built in and then become second nature. My office is working with Connecting for Health to identify how we can support the health service to tackle these issues.”
I note that the Commissioner has stopped short of issuing a Financial Penalty which, he said in a conversation I had with him recently, is primarily due to the fact that any penalty incurred by them would make it difficult for them to manage their limited funds.
I am not sure this is the correct signal to send out bearing in mind the data they are processing and the fact that Financial Penalties have been issued for lesser offences than these ones. Should they be penalised? Yes, I consider that they should be held up as an example to the rest of business and public authorities considering Mr Graham talks of having a big stick in the cupboard and not being afraid to use it. Well I say “use it” and let’s show the UK that you are not afraid of using it on anyone who transgresses!
It is going to be interesting to see what happens with the loss of the undisclosed number of laptops by NHS North Central London. It has been stated that there were 5 lost however this seems to change every time I see something about it. The only real concern is for the 8 million people whose sensitive personal information is held on these laptops.
Will the Commissioner use his ‘big stick’ this time? I sincerely hope so.