NHS unprepared for data law overhaul, say experts

Experts have warned that the NHS is unprepared for an upcoming overhaul of European data protection laws, just as the government outlined plans to introduce more data sharing within the health service.

Christine Connelly, the government's chief information officer for health, gave details on Tuesday of plans that will allow patients to use services such as Microsoft HealthVault and Google Health to store their electronic medical records. In addition, government plans for health data rest on "a free flow of data" around the NHS, including making patient data more accessible to third-party health researchers.

The NHS is not prepared for a data law overhaul, experts say.

However, the NHS does not have the culture or systems in place to cope with the approaching update to European data privacy laws, medical and legal experts said at the Westminster e-Forum event on Tuesday.

"I'm not sure the NHS has even started thinking about it," said Douwe Korpff, a professor of international law at London Metropolitan University. "It would be better for care, patients and research if we came up with clear, accepted regulation."

The European Commission is due to put forward draft legislation in the summer as part of an ongoing review of the Data Protection Directive. The rights for individuals as outlined by EU justice commissioner Viviane Reding include transparency about how data is used by third parties, and 'privacy by default' in systems.

Data breach concerns

As an example of how patient data is currently treated within the health service, Paul Cundy, co-chair of the British Medical Association's (BMA) GP IT committee, told the event about a recent letter to the BMA asking for endorsement of a proposed study of dementia. The study will not seek the consent of the individuals involved, or their families, before accessing the data for research purposes, he said.

"The NHS is not prepared [for the data law overhaul] — the general level of information assurance is poor," Cundy told ZDNet UK. "The majority of data breaches are among administration in secondary care. The number of data breaches in general practice is very small in comparison."

In response, Connelly said the health service had cut down on the amount of data is has exposed; in 2010, the Information Commissioner's Office named the NHS as the top UK data breach culprit.

"Over the last five to 10 years, the NHS has made lots of positive steps in terms of the security of the systems it uses," Connelly told ZDNet UK. "Higher levels of encryption mean we get to the point where what gets lost is the physical asset."

Connelly said the NHS has moved away from small, under-the-desk PCs and systems, and that data is now mainly held in managed datacentres, adding to security. However, she added there was still room for improvement in security measures.

"Any system is only as good as its weakest link," Connelly said. "If [a healthcare professional] has encrypted data, prints it out and leaves it on a bus, that's a problem."

Legal expert Stuart Knowles pointed out to the audience that the Information Commissioner's Office has the power to fine data controllers for privacy breaches under existing regulations.

"When things go wrong... it'll roll down the hill and end up in the offices of NHS managers," Knowles, a solicitor at Mills and Reeve, said.

Security funding

The NHS has established IT security and privacy procedures, Knowles told ZDNet UK, but these procedures seldom have enough funding at the front line.

"Every local NHS organisation and structure has local policies and procedures," said Knowles. "What they don't have is the investment to put the policies and guidance into practice. Information assurance is not seen as a major priority in healthcare."

Knowles said many NHS systems had not been built with information security in mind, and "data security is being bolted on to a system that's already in place". He added that government budget cuts to healthcare funding could exacerbate the data security situation.