NHS slammed for data loss
By Mark Gould
Thursday, 30 October 2008
Detailed medical records and names and addresses of at least 4600 NHS patients were stolen or went missing last year according to new figures on security breaches.
But the actual figure is probably much higher, as many trusts were unable to quantify the possible data protection implications of the theft or loss of computers, laptops, filing cabinets, and waste paper or post that had “gone missing”. And three of the 10 English Strategic Health Authorities failed to provide data on information loss as they said they had not received the required freedom of information requests.
While there were 40 separate “serious untoward incidents “ of data loss reported last year, just one of them, the loss of a memory stick, was catagorised as “significant” as it accounted for easily accessible data on 4,000 patients. Other incidents such as the loss of a computer disc and another memory stick accounted for information on 554 patients.
There were a total of 75 breaches of data security rules by the health service reported to the Information Commissioner's office in the past year, the new figures reveal. The NHS and healthcare sector is second only to the whole of the private sector at losing computers, records and data. The 75 breaches included 27 lost computers and laptops, 14 losses of paper records and 18 of removable media such as memory sticks.
Information commissioner Richard Thomas said reports had "soared" since the high profile loss of 25million child benefit records last year.
He said responsibility for data breaches should lay with chief executives, who should ensure appropriate policies and procedures are in place, that privacy is incorporated into their technology and that staff are properly trained.
"It is alarming that despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear ICO guidance, the flow of data breaches and sloppy information handling continues," said Mr Thomas.
A Department of Health spokesperson said: "The Data Handling Review, published this summer, established clear minimum standards for central government in respect of managing information risk. DH, along with other government departments, has been implementing these. In many areas, e.g. encryption of portable media, the department has been working to these high standards for some time.
"In addition, David Nicholson, chief executive of the NHS, has written to all senior health managers reminding them of their responsibilities following the level of public concern in the wake of data losses.
“The NHS locally has a legal responsibility to comply with data protection rules and is expected to take data loss extremely seriously. It should be open about incidents, take appropriate disciplinary action where breaches occur and be transparent about the action taken as a result.
We have also worked with NHS Employers to develop clear guidance on the disciplinary action that should be taken when staff fail to follow procedures and guidance"