ICO promised new powers to rein in NHS on patient data

News by Tim Ring

The Government has responded to fears about the security of millions of NHS patients' personal data by giving privacy watchdog the Information Commissioner's Office (ICO) the power to carry out 'compulsory audits' on how well the health service looks after personal information.

But the move, announced on Monday by Justice Minister Simon Hughes and due to come into force this autumn, is unlikely to silence the bitter row over the gathering and sharing of GP and hospital data.

Sensitivity on the subject is especially high with new reports accusing IT consultancy PA Consulting of jeopardising privacy by uploading a year's worth of data on hospital visits across England to Google servers based outside the UK.

That accusation follows claims that hospital records are being used by private firms to advise companies on how to target their marketing to people on Twitter and Facebook, and that data mapping company Earthware published an online map which leaked hospital patient data.

It all comes in the wake of the Government's decision to postpone the NHS' £50 million ‘care.data' plan to gather the electronic patients' records from every GP practice in England. Initially due to be launched in April the government was forced to delay the introduction over fears that people had not been properly informed of the plan or their right to opt out.

But in the latest furore over hospital records, both PA and Earthware have hit back at the claims levelled at them.

PA insists that the hospital patient data it stored “does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by the NHS.

The group added that the data did not contain patient name, address, NHS number or date of birth, and said that sharing patient data has many benefits.

“Our new approach to extracting insight from large volumes of data can help the NHS improve patient care. We have shown where services are needed most by patients and identified previously unseen side effects of drugs and treatments. Our approach protects patient confidentiality and allows insights to be derived at significantly lower cost, and 100 times faster, than any traditional approach.”

Earthware, meanwhile, removed the controversial map from its website but said it was actually a demonstration based on mock HES (hospital episode statistics) data. The company said: “No patient identifiable data was ever displayed on the map. Earthware are confident that we have not breached any legal or regulatory rules regarding the licensing or publication of HES data.”

Information Commissioner Chris Graham believes that the continuing row over the NHS database marks “a line in the sand” for organisations holding personal data, who must recognise that people are now fully aware of the value of their personal information and how their privacy should be respected.

“Citizens and consumers expect organisations to be open and upfront with how their information will be used. In a digital age, this knowledge is invaluable and shows why the Data Protection Act is so important. We must all get it right, or suffer the consequences,” he said last week.

This increased awareness may also explain the Government's decision to give the ICO more powers over NHS data protection.

An ICO spokesperson told SCMagazineUK.com: “The concerns around care.data come from this idea that the health service isn't particularly good at looking after personal information. Now we believe that the audit powers will help us to improve compliance where NHS organisations are having difficulties or there's particular issues raised and brought to our attention.”

The spokesperson added: “In order to find the real issues we think that we need compulsory audit, where we can just go in and have a look at their general data protection practices. It can cover everything from security through to making sure that health records are accurate, to training.”

But because the powers will only be voted in this autumn, that will be too late to affect the crucial concerns over how the care.data scheme is communicated, as this will happen during the next six months.

Meanwhile, the Government is considering bowing to pressure from the ICO to introduce custodial penalties for serious breaches of the Data Protection Act. However, Justice Minister Simon Hughes also indicated that the UK will continue trying to delay and ‘water down' the planned new EU-wide Data Protection law, so it does not overly penalise SME firms financially.

In the same speech where he tackled the NHS data controversy, Hughes praised Information Commissioner Christopher Graham for “arguing eloquently for the introduction of custodial penalties for serious misuse of personal data” but argued that the original form of the European law could have cost the UK economy between £100 million and £360 million a year in penalties.

“The Government wants to see EU data protection legislation that protects the civil liberties of individuals while allowing for economic growth and innovation,” he said. “We are clear that these should be achieved in tandem and not at the expense of one another. There is now a growing consensus in the negotiations around the importance of not placing disproportionate burdens on small and medium enterprises.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop