Doctors may be fined for losing data

Doctors who lose confidential patient information should be held accountable for the loss, according to the Information Commissioner's Office.

Information commissioner Richard Thomas, giving evidence at a House of Lords Constitution Committee inquiry into data collection and surveillance on Wednesday, proposed that a doctor who is found to be "flouting data-protection principles" should be fined £5,000 by magistrates, or alternatively face an unlimited fine in a Crown Court.

"If a doctor leaves a laptop containing patients' records in his car and it's stolen, it's hard to see that's anything but gross negligence, if the laptop is not sufficiently cared for and encrypted. Frankly any doctor should be able to encrypt data," said Thomas.

At the inquiry, Conservative peer Lord Lyell of Markyate objected to the proposal, saying that prosecution for the loss of one laptop would be disproportionate.

Thomas said the proposed law would not be used to criminalise doctors for one occurence, but that it would be used if gross negligence was suspected.

Assistant information commissioner David Smith said that currently the ICO can only issue a letter when data is exposed, saying there will be action in the event of a second data breach. He added that the ICO can inspect the processing of information in the public and private sector only with the consent of the organisation being inspected. Smith said the ICO was seeking to extend its inspection powers to "help deliver data-protection compliance", and that it would target organisations proportionately.

The General Medical Council (GMC), which registers doctors in the UK, said that it had issued guidance for doctors on patient confidentiality, which includes data-protection guidance. "Doctors should take all reasonable steps to ensure patient information is protected," said a GMC spokesperson. "We expect all registered doctors to follow [the guidance]. Any doctor who seriously or persistently breaches guidance puts their registration at risk."

Doctors who are struck off the GMC register can no longer legally practice medicine in the UK.

PGP, an encryption company, said that while the ICO proposal would be "great news for patient-rights groups", it recommended that emphasis should be placed on encrypting the data rather than the device.

"Given the recent spate of data breaches at NHS trusts, perhaps Richard Thomas's approach of hard compulsion is the only way to get the medical establishment to take this problem seriously," said Jamie Cowper, PGP's director of European marketing. "However, by placing the emphasis on protecting the device — specifically laptops — rather than the confidential data itself, he could be accused of treating the symptoms of this problem, rather than providing a cure."