ICO issues warning over NHS Data Protection Act breaches

Following five more NHS Data Protection Act violations, the Information Commissioner’s Office will redouble efforts to help NHS improve security.

In the wake of a disastrous data loss at the National Health Service, the Information Commissioners Office (ICO) has taken the unusual step of issuing a statement promising to work more closely with the NHS to improve its information security efforts and avoid future data privacy breaches.

The security of data remains a systemic problem, the policies and procedures may already be in place, but the fact is that they are not being followed on the ground.

Christopher Graham, Information Commissioner

The statement follows the ICO’s publication last week of five new enforcement notices for NHS Data Protection Act violations, and is intended to tackle a data security problem that observers believe has failed to improve over the last few years, despite policies and technology being put in place to protect patient data.

“The security of data remains a systemic problem,” said Information Commissioner Christopher Graham in a statement, adding that, “the policies and procedures may already be in place, but the fact is that they are not being followed on the ground.”

He said his office is now working with Connecting for Health (CFH), the organisation tasked with computerising patient records “to identify how we can support the health service to tackle these issues.”

No one at CFH was available for comment, but the organisation issued a response saying: "We fully support the Information Commissioner's call for improvement in local NHS practice in relation to preserving patient confidentiality. There is absolutely no excuse for breaches leading to the loss of sensitive and personal data.”

The CFH statement also said staff should be encrypting portable devices such as laptops and memory sticks, in accordance with specified policies. “Having set clear standards for NHS organisations to adhere to on data handling, we urge them to ensure staff understands and follows that guidance,” it said.

A press spokesman for the ICO said the aim of the new collaboration will be to explore what more can be done to improve data handling at a day-to-day level. “We recognise that NHS staff work under pressure, but we want to see if there is anything we are missing that would improve matters,” he said.

He said the ICO is concerned that, despite the strong commitment by NHS management to improve security, the level of data of breaches within the NHS has not fallen, and the overall situation is still serious. Annual figures due to be published on Wednesday July 6 are expected to confirm the NHS is still one of the top offenders for data breaches.

The spokesman said a dedicated team in the ICO is exploring where current weaknesses lie, and how they could be tackled. “For instance, NHS organisations give out encrypted memory sticks to their staff, but unencrypted devices are still being used.  Companies at health service events often give out unencrypted memory sticks as free items, and they get used by nurses,” he said.

The ICO’s new efforts are largely prompted by last month’s revelation that a data loss at London Health Programmes, a medical research organisation based at the NHS North Central London health authority, involving 20 unencrypted laptops had resulted in the loss of 8.63 million personal records and the NHS medical records of 18 million hospital visits, operations and procedures.

Of the five new NHS enforcement notices, four were related to incidents where patient records had been faxed to the wrong recipients. As the spokesman suggested, simply pre-programming the numbers of recipients would avoid many of those problems. “We will be looking at new ways to reach out to NHS organisations and staff to see if there is something more we can do,” he said.

Overall policy for information handling in the NHS is currently set by the National Information Governance Board for Health and Social Care, but that is set to be disbanded in March 2013, and its functions will be transferred into the Care Quality Commission.

Read more on Data breach incident management and recovery