Information Commissioner claims that health service needs a culture change and to do more to keep data secure

News by Dan Raywood

The NHS must get data security right and policy and procedures must be followed.

The NHS must get data security right and policy and procedures must be followed.

According to the Information Commissioner Christopher Graham, the NHS needs to do more to keep patients' personal information secure and while human error does occur, major incidents suggest that the security of data remains a systemic problem.

He said: “The policies and procedures may already be in place but the fact is that they are not being followed on the ground. Health workers wouldn't dream of discussing patient information openly with friends, yet they continue to put information on unencrypted memory sticks or fax it to the wrong number.

“The sector needs to bring about a culture change so that staff can give more consideration to how they store and disclose data. Complying with the law needn't be a day-to-day burden if effective measures are built in and then become second nature. 

“My office is working with Connecting for Health to identify how we can support the health service to tackle these issues.”  

Graham particularly referenced the lost NHS North Central London laptop and confirmed that five more undertakings have been issued to Ipswich Hospital NHS Trust, Dunelm Medical Practice in Durham, East Midlands Ambulance Service NHS Trust, Lancashire Teaching Hospitals NHS Foundation Trust and Basildon and Thurrock NHS Trust. These relate to incidents where appropriate steps to ensure that sensitive personal information was kept secure were failed.

Jonathan Armstong, partner at Duane Morris, told SC Magazine that this announcement fits in with what has been seen in the last six to seven weeks, and it is clear that the Information Commissioner's Office (ICO) is making the NHS a particular target.   

He said: “In the past hospitals have done some stupid things with regards to information security, but there are really few cases where people have been malevolent, most are people doing what they ‘normally' do.

“The only way to address this is to lock things down which we have seen more, but they need to stop losing things, putting data in the wrong envelope and stop sending emails to the wrong people. The ICO is now on to this and on to the NHS and wants to clean up as the public care more about what happens to their health records and the ICO is right to focus on it. For the NHS it is difficult to correct centuries of sloppy practise.”

He talked of a client, who he described as ‘a diverse organisation' and employs people at a similar level. He said that three years ago they realised that security breaches were going to occur and they should accept them and formulated a response plan with data separately stored in different places.

“The NHS is huge but it could be bold and have a security breach centre of excellence that handles security breaches, diagnoses the situation, minimises harm and puts in a residual process. With this the ICO might be convinced that they are fixing the problem,” he said.

“If they wanted to be really radical they could engage with the ICO on a daily basis and be based in Wilmslow. The NHS needs to do analyse and do something radical.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews