Privacy watchdog warns NHS to tighten data security

Privacy watchdog warns NHS to tighten data security

Summary: The Information Commissioner's Office tells the NHS it must take more care to safeguard patient data, after another five health service bodies are found to have broken privacy laws

TOPICS: Security

The UK's data protection watchdog has warned the NHS it must do better at protecting patients' sensitive information, after a series of data breaches and a laptop loss potentially affecting millions of people.

Christopher Graham

Information commissioner Christopher Graham has said the NHS must do a better job of safeguarding patients' data. Photo credit: Jack Putter/Wikipedia

On Friday, the Information Commissioner's Office (ICO) said that four NHS organisations breached the Data Protection Act when they faxed patient data to the wrong people. A fifth broke privacy laws by losing paper records that were then found in a public place.

"Health workers wouldn't dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number," information commissioner Christopher Graham said in a statement on Friday. "The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data."

Despite having processes in place to safeguard against misdialled numbers, the four health organisations sent out faxes to the wrong recipients. The Basildon and Thurrock University Hospitals NHS Foundation Trust mistakenly sent information on an individual being treated for cancer, while Dunelm Medical Practice misdirected discharge letters. The East Midlands Ambulance Service NHS Trust sent a referral form to a wrong number, while the Lancashire Teaching Hospitals NHS Foundation Trust mis-sent a discharge summary.

In addition, an employee of the Ipswich Hospital NHS Trust lost paper records on 29 patients, after taking them home to update a training log. The documents contained sensitive data such as operation details.

Also on Friday, the ICO confirmed it is investigating NHS North Central London over the loss of several laptops, one of which may have contained 8.63 million patient records. London Health Programmes (LHP), an NHS research organisation, admitted losing the laptop in June.

Over the course of the year, the ICO has gained undertakings from 16 health organisations regarding the loss of data of over half a million patients. The NHS is the public-sector body with the worst record for data loss, according to the most recent ICO figures (PDF).

Enforcement actions

Data security expert Andy Buss said repeated enforcement actions against the NHS by the ICO seemed to have had little effect. Buss, a Freeform Dynamics analyst, said NHS Trusts should be audited to see whether they comply with recognised data security standards.

"In a way, fines would be counterproductive with the health service," Buss told ZDNet UK. "For healthcare, there should be mandatory auditing to make sure data standards are adhered to. Closing the door after the horse has bolted doesn't encourage change."

Read this

NHS laptop loss could put millions of records at risk

A laptop containing unnamed patient information has gone missing from a subsidiary of the NHS North Central London health authority, putting the privacy of patients at risk.

Read more+

Although the government has imposed massive cuts on public-sector spending, auditing against a stringent standard such as the Payment Cards Industry (PCI) financial security standard would at least identify strengths and weaknesses, according to Buss.

"If healthcare bodies are audited, at least they can start to prioritise what they can do most to protect data," said Buss. "There's no reason the principles of financial data protection can't apply to healthcare information."

The Department of Health (DoH) agreed the NHS must improve its data security practices.

"We fully support the ICO call for improvement," a DoH spokesperson told ZDNet UK. "The NHS should be doing more to ensure incidents like this don't happen."

The ICO's annual report on data loss incidents in public- and private-sector organisations is due out on Wednesday.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Recent statements from The Information Commissioner regarding the security of NHS pa-tient records identifies further policy changes which will potentially result in more breaches in data laws by further complicating employee work processes. We must remember that a large proportion of clinical data is still in paper format as a consequence of consistent under investment in robust and reliable technology which could enable more efficient ways of working.

    What the NHS and other health service providers require is access to the right information, in the right format, in the right place and at the right time, more often than not in a defined clinical network or local geography. This can be achieved by allowing information to move freely between applications from a pool of secure and protected data that resides in a ven-dor neutral archive.

    Commercial cloud providers such as Amazon and Google provide web based solutions which raise questions around data visibility and preclude them from delivering confidential patient information at the low cost prices used for domestic services. There are, however, secure solutions that are cyber-resilient and can be delivered through a private cloud that is paid for on a transaction basis. Outside of NHS there are numerous examples of such services being deployed in finance, manufacturing and other public sector environments that the NHS and the Information Commissioner might investigate.

    Paul Wooding FBCS CITP
    Head of UK Public Services