After the recent loss of a laptop from the NHA North Central London Trust containing around 8.3 million patient records, the Information Commissioner Christopher Graham has finally moved to denounce the endemic data loss problems common in the National Health Service. There have been numerous examples of data loss in recent months, leading to five more health organisations agreeing to undertakings to improve security.
Information Commissioner Christopher Graham said:
“The health service holds some of the most sensitive personal information of any sector in the UK. Millions of records are constantly being accessed and we appreciate that there will be occasions where human error occurs. But recent incidents such as the loss of laptops at NHS North Central London – which we are currently investigating – suggest that the security of data remains a systemic problem.”
“The policies and procedures may already be in place but the fact is that they are not being followed on the ground. Health workers wouldn't dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number.”
But privacy groups don’t believe the ICO have gone far enough to curtail the problems. Daniel Hamilton, director of campaign group Big Brother Watch, added:
“The NHS needs to drastically tighten up its data security procedures and reduce the number of people with access to medical records to prevent the high rate of data loss currently recorded.”
“The Government needs urgently to address the dire state of security around our medical records before it fully rolls out the Summary Care Record, granting access to hundreds of thousands of additional NHS staff across England.”
Despite their tougher than usual approach to dealing with public bodies, the ICO remain useless at enforcing the Data Protection Act. The threat of a £500,000 fine may coerce private companies to adjust their behaviour and improve performance, but in the public sector there is no fiscal responsibility. To circumvent this problem, direct responsibility for any data loss must fall on individuals who are personally involved. This would create an impetus to improve data protection and a reason not to allow standards to slip. Patients in the NHS deserve to know that their private information is safe from hackers and criminals who would use it for nefarious reasons.