The U.K. Information Commissioner's Office is putting pressure on the NHS to improve data security at its facilities, following a string of breaches.
In the past six months, the privacy watchdog has taken action against 14
Department of Health organizations that have exposed private data, a
spokesperson for the ICO said on Tuesday.
The office has now written to the permanent secretary for the Department of
Health, Hugh Taylor, to ask for tighter protection of personal records. It also
intends to carry out unannounced visits to hospitals and other organizations to
see how data is treated.
"We're going to be doing spot checks," the spokesperson said. "The ICO has
also written to the permanent secretary about a number of recent breaches within
The ICO was granted powers to perform spot checks in 2007 following a data
breach by HMRC. The ICO is expected to be granted extra powers of
investigation of public-sector establishments when the Coroners
and Justice Bill, currently working its way through parliament, becomes law.
The next step in the bill's progress is a committee hearing in the House of
Lords in July.
According to ICO
figures, there have been 140 data breaches reported by the NHS since
November 2007. Of those breaches, 58 are attributed to stolen data or hardware,
and 43 to lost data or hardware. In the past three months alone, the NHS has
reported 38 data-security breaches, including 14 involving stolen data or
hardware. Other causes of breaches include data being lost in transit,
disposal and technical failures.
The Department of Health confirmed on Tuesday that it had received a letter
from information commissioner Richard Thomas regarding the data-loss incidents.
However, it denied legal responsibility, saying it was a matter for local NHS
"The NHS locally is legally responsible for complying with data-protection
rules," the Department of Health said in a statement. "They need be open about
incidents and about the action taken as a result, including action against
anyone responsible for breaching our strict data protection rules."
The Department of Health said that NHS IT modernization programs will
minimize the risk of data loss. It noted that this year, NHS bodies will be
required to publish details of data losses on their Web sites.
"The information commissioner has full authority to prosecute in cases of
data breaches," added the Department of Health. "Typically, data losses are
investigated locally by the police, and where appropriate, disciplinary action
or prosecution can apply."
The information commissioner issued
a warning to NHS bodies at the end of April regarding a number of breaches
of patient records since 2007. One incident cited was the loss from Cambridge
University Hospital of an unencrypted USB stick, which was later recovered by a
car-wash attendant. Thomas also mentioned the
an encrypted memory stick containing medical details of 6,360 prison
patients from HMP Preston--where the password was attached to the device in
Thomas also censured North West London Hospitals NHS Trust following the
theft of two unencrypted laptops and a desktop during a period when Central
Middlesex Hospital's security swipe-card system was disabled for