'NHS must change to stop breaking data laws'

01 July 2011

NHS needs to improve data handling says Information Commissioner

The health service is not doing enough to keep patients' personal information secure, the Information Commissioner has warned.

Finding a further five health organisations in breach of the Data Protection Act, Christopher Graham expressed concerns about a "systemic problem" of data breaches in the NHS.

"The health service holds some of the most sensitive personal information of any sector in the UK," he said, adding that millions of records being constantly accessed would lead to occasional human error.

But pointing to incidents including a current investigation into the loss of up to eight million patient records on missing laptops from NHS North Central London, Graham said "the security of data remains a systemic problem".

"The policies and procedures may already be in place but the fact is that they are not being followed on the ground," he said.

"Health workers wouldn't dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number.

"The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data."

The Information Commissioner's Office (ICO) said five undertakings recently issued to health bodies all related to failure to take steps to make sure personal information was kept secure.

For example in February, Ipswich Hospital NHS Trust lost 29 patient records when an employee took them home to update a training log and then lost the records.

During the same month in Durham, a member of staff at Dunelm Medical Practice entered an incorrect fax number on discharge letters, leading to them being sent to the wrong recipient. The practice has now agreed to use a secure email system.

And undertakings have also been signed by East Midlands Ambulance Service NHS Trust, Lancashire Teaching Hospitals NHS Foundation Trust and Basildon and Thurrock NHS Trust, after data breaches.

Graham said the ICO was now working with Connecting for Health to help the NHS tackle their issues.

A Department of Health spokesman said they fully supported the Information Commissioner's call for improvement to patient confidentiality.

"There is absolutely no excuse for breaches leading to the loss of sensitive and personal data. Encrypting information held on portable devices such as laptops and memory sticks is just as important as avoiding public conversations about patients' details.

"Having set clear standards for NHS organisations to adhere to on data handling, we urge them to ensure that staff understand and follow that guidance."

COMMENTS

I wholeheartedly agree with Information Commissioner, Christopher Graham's sentiments about a 'disturbing' culture in the health service when it comes to protecting patient records. With millions of personal medical records being lost by NHS trusts and hospitals at present, it's important that the NHS implements robust policies to ensure that patient information is managed responsibility.

The NHS needs to integrate corporate self regulation into their organisation and build a genuine culture of doing the right thing. Sound records management: data entry, cataloguing, tracking, retrieval and indexing systems should be of high importance as the NHS brings itself into the digital age. After all, the public have a right to expect that information about them is handled with care.
Christian Toon - Iron Mountain