Privacy watchdog warns NHS to tighten data security

The UK's data protection watchdog has warned the NHS it must do better at protecting patients' sensitive information, after a series of data breaches and a laptop loss potentially affecting millions of people.

Information commissioner Christopher Graham has said the NHS must do a better job of safeguarding patients' data. Photo credit: Jack Putter/Wikipedia

On Friday, the Information Commissioner's Office (ICO) said that four NHS organisations breached the Data Protection Act when they faxed patient data to the wrong people. A fifth broke privacy laws by losing paper records that were then found in a public place.

"Health workers wouldn't dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number," information commissioner Christopher Graham said in a statement on Friday. "The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data."

Despite having processes in place to safeguard against misdialled numbers, the four health organisations sent out faxes to the wrong recipients. The Basildon and Thurrock University Hospitals NHS Foundation Trust mistakenly sent information on an individual being treated for cancer, while Dunelm Medical Practice misdirected discharge letters. The East Midlands Ambulance Service NHS Trust sent a referral form to a wrong number, while the Lancashire Teaching Hospitals NHS Foundation Trust mis-sent a discharge summary.

In addition, an employee of the Ipswich Hospital NHS Trust lost paper records on 29 patients, after taking them home to update a training log. The documents contained sensitive data such as operation details.

Also on Friday, the ICO confirmed it is investigating NHS North Central London over the loss of several laptops, one of which may have contained 8.63 million patient records. London Health Programmes (LHP), an NHS research organisation, admitted losing the laptop in June.

Over the course of the year, the ICO has gained undertakings from 16 health organisations regarding the loss of data of over half a million patients. The NHS is the public-sector body with the worst record for data loss, according to the most recent ICO figures (PDF).

Enforcement actions

Data security expert Andy Buss said repeated enforcement actions against the NHS by the ICO seemed to have had little effect. Buss, a Freeform Dynamics analyst, said NHS Trusts should be audited to see whether they comply with recognised data security standards.

"In a way, fines would be counterproductive with the health service," Buss told ZDNet UK. "For healthcare, there should be mandatory auditing to make sure data standards are adhered to. Closing the door after the horse has bolted doesn't encourage change."

Although the government has imposed massive cuts on public-sector spending, auditing against a stringent standard such as the Payment Cards Industry (PCI) financial security standard would at least identify strengths and weaknesses, according to Buss.

"If healthcare bodies are audited, at least they can start to prioritise what they can do most to protect data," said Buss. "There's no reason the principles of financial data protection can't apply to healthcare information."

The Department of Health (DoH) agreed the NHS must improve its data security practices.

"We fully support the ICO call for improvement," a DoH spokesperson told ZDNet UK. "The NHS should be doing more to ensure incidents like this don't happen."

The ICO's annual report on data loss incidents in public- and private-sector organisations is due out on Wednesday.