UK privacy watchdog cracks down on NHS breaches

The U.K. Information Commissioner's Office is putting pressure on the NHS to improve data security at its facilities, following a string of breaches.

In the past six months, the privacy watchdog has taken action against 14 Department of Health organizations that have exposed private data, a spokesperson for the ICO said on Tuesday.

The office has now written to the permanent secretary for the Department of Health, Hugh Taylor, to ask for tighter protection of personal records. It also intends to carry out unannounced visits to hospitals and other organizations to see how data is treated.

"We're going to be doing spot checks," the spokesperson said. "The ICO has also written to the permanent secretary about a number of recent breaches within the NHS."

The ICO was granted powers to perform spot checks in 2007 following a data breach by HMRC. The ICO is expected to be granted extra powers of investigation of public-sector establishments when the Coroners and Justice Bill, currently working its way through parliament, becomes law. The next step in the bill's progress is a committee hearing in the House of Lords in July.

According to ICO figures, there have been 140 data breaches reported by the NHS since November 2007. Of those breaches, 58 are attributed to stolen data or hardware, and 43 to lost data or hardware. In the past three months alone, the NHS has reported 38 data-security breaches, including 14 involving stolen data or hardware. Other causes of breaches include data being lost in transit, non-secure disposal and technical failures.

The Department of Health confirmed on Tuesday that it had received a letter from information commissioner Richard Thomas regarding the data-loss incidents. However, it denied legal responsibility, saying it was a matter for local NHS organizations.

"The NHS locally is legally responsible for complying with data-protection rules," the Department of Health said in a statement. "They need be open about incidents and about the action taken as a result, including action against anyone responsible for breaching our strict data protection rules."

The Department of Health said that NHS IT modernization programs will minimize the risk of data loss. It noted that this year, NHS bodies will be required to publish details of data losses on their Web sites.

"The information commissioner has full authority to prosecute in cases of data breaches," added the Department of Health. "Typically, data losses are investigated locally by the police, and where appropriate, disciplinary action or prosecution can apply."

The information commissioner issued a warning to NHS bodies at the end of April regarding a number of breaches of patient records since 2007. One incident cited was the loss from Cambridge University Hospital of an unencrypted USB stick, which was later recovered by a car-wash attendant. Thomas also mentioned the loss of an encrypted memory stick containing medical details of 6,360 prison patients from HMP Preston--where the password was attached to the device in question.

Thomas also censured North West London Hospitals NHS Trust following the theft of two unencrypted laptops and a desktop during a period when Central Middlesex Hospital's security swipe-card system was disabled for maintenance.