Five more health organisations in breach of The Data Protection Act 1998, still no Financial Penalties issued!


Christopher Graham, the Information Commissioner, has issued five health organisations with Undertakings following their failure to keep sensitive personal data secure.

In February 2011, Ipswich Hospital NHS Trust misplaced 29 patient records after a member of staff took them home to update a training log. The sensitive personal data relating to patients operations was, however, subsequently recovered. Mandatory data protection training for all relevant staff was introduced by the Trust.

Again in February 2011, Dunelm Medical Practice in Durham missent discharge letters about two patient’s routine operations to the wrong person. Staff failed to notice they had entered a fax number incorrectly and they were sent to a third-party organisation. They alerted County Durham and Darlington NHS Foundation Trust who advised them to destroy the documents. Dunelm Medical Practice has now agreed to send Electronic Discharge Letters by secure email and fax them only in exceptional circumstances. They will also programme their fax machine with regional branch numbers to ensure there is better protection for the future.

Further undertakings have been signed by East Midlands Ambulance Service NHS Trust, Lancashire Teaching Hospitals NHS Foundation Trust and Basildon and Thurrock NHS Trust.

The Commissioner went on to say; “The health service holds some of the most sensitive personal information of any sector in the UK. Millions of records are constantly being accessed and we appreciate that there will be occasions where human error occurs. But recent incidents such as the loss of laptops at NHS North Central London – which we are currently investigating – suggest that the security of data remains a systemic problem. The policies and procedures may already be in place but the fact is that they are not being followed on the ground. Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number. The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. Complying with the law needn’t be a day-to-day burden if effective measures are built in and then become second nature. My office is working with Connecting for Health to identify how we can support the health service to tackle these issues.”

I note that the Commissioner has stopped short of issuing a Financial Penalty which, he said in a conversation I had with him recently, is primarily due to the fact that any penalty incurred by them would make it difficult for them to manage their limited funds.

I am not sure this is the correct signal to send out bearing in mind the data they are processing and the fact that Financial Penalties have been issued for lesser offences than these ones. Should they be penalised? Yes, I consider that they should be held up as an example to the rest of business and public authorities considering Mr Graham talks of having a big stick in the cupboard and not being afraid to use it. Well I say “use it” and let’s show the UK that you are not afraid of using it on anyone who transgresses!

It is going to be interesting to see what happens with the loss of the undisclosed number of laptops by NHS North Central London. It has been stated that there were 5 lost however this seems to change every time I see something about it. The only real concern is for the 8 million people whose sensitive personal information is held on these laptops.

Will the Commissioner use his ‘big stick’ this time? I sincerely hope so.

Advertisements

About KPG Professional Services

Kevin has been working in the Data Protection field for over 20 years with The Post Office, Royal Mail Marketing, The Royal Bank of Scotland and Glasgow Housing Association Ltd. He is also trained in the Freedom of Information (Scotland) Act 2002 and has supplied expertise and support in this discipline for the past 4 years. In his leisure time Kevin is a presenter on Hospital Radio, an SRU rugby referee and referee coach and also the stadium announcer at McDiarmid Park for his team St Johnstone in the Scottish Premier League.
This entry was posted in Data Protection, Information Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s