NHS top culprit as UK data breaches exceed 1,000

NHS has generated more data breaches than the entire private sector, and there are stricter rules on the way, according to the Information Commissioner's Office

More than 1,000 security breaches involving the loss of personal data have now been reported to the Information Commissioner's Office, with the list topped by the NHS, the privacy watchdog said on Friday.

The NHS has reported 305 breaches since November 2007, according to the Information Commissioner's Office's (ICO) figures. Of those, 116 were due to stolen data or hardware, 87 were due to lost data or hardware and 43 cases were disclosures due to error, the ICO said.

The private sector collectively accounted for 288 breaches reported, while local government accounted for 305 cases. Central government has reported 132 breaches, while the voluntary sector has reported a total of 44 breaches. A total of 1,007 breaches had been reported as of Friday.

In the past six months, the privacy watchdog has taken action against 14 Department of Health organisations that have exposed private data.

The office said it has now written to the permanent secretary for the Department of Health, Hugh Taylor, to ask for tighter protection of personal records. It also intends to carry out unannounced visits to hospitals and other organisations to see how data is treated.

Early last month the ICO said it would investigate an NHS data breach in which a data stick containing information on psychiatric patients in Scotland was handed in to Glasgow-based Scottish newspaper The Daily Record.

In April, the ICO gained the power to fine organisations up to £500,000 for serious data breaches, but a spokesman for the organisation said the ICO had yet to exercise this power.

The types of UK organisations required to report breaches is to be expanded within the next few months as new EU telecoms regulations are incorporated into UK law, according to the ICO.

Under the EU's Telecoms Reform Package, agreed upon by the European Parliament and the Council of Ministers in 2009, telecommunications companies will have to inform national regulators of serious data breaches. Those rules will be incorporated into UK law within 18 months, the ICO said at the Infosecurity Europe 2010 conference in April.

In addition, the EU has said it is planning to expand the scope of the regulations beyond telcos. In the Digital Agenda plan, introduced in May, the EU said it was planning to expand the rules in order to fight cybercrime and encourage users to trust online services.

"The ongoing review of the EU's general data protection framework will... explore a possible extension of the obligation to notify data security breaches," the EU said in the document.

The European Parliament had pushed to include providers of "information society services", such as banks and health services providers, in the 2009 reforms, but the European Commission and the European Council rejected that idea at the time.