Patients must not lose out because of NHS data penalties

08 October 2012

By Matthew D'Arcy

Punitive fines imposed on NHS bodies for compromising personal data are taking scarce resources away from "innocent patients", risking missed operations and reduced care, a confidentiality expert has warned.

Serious breaches of the Data Protec­tion Act have resulted in several large penalties for the NHS in recent months from the Information Commissioner who can impose fines of up to £500,000.

But Christopher Fincken, who was speaking as an individual and not as chairman of the UK Council of Caldicott Guardians, said it was "quite wrong" that the fines "effectively come out of funding patient care".

He told a Public Service Events NHS informatics conference: "There needs to be a different mechanism, a fairer way, that doesn't penalise the innocent patient for the failings of the organisations that are there to serve."

Fincken told Public Servant there was "clearly a need" for the Information Commissioner's Office to get its message across and to "impose fines if necessary", but "relevant officers" in the NHS needed to be "responsible and accountable".

"If you cut your expenditure on information governance, if you don't train your staff adequately because you believe on a risk basis you are not very likely to get fined, then that is an executive decision that somebody has taken," he said. "The person who has taken that decision then has to follow on from the consequences of the actions of the organisation when they don't do things."

The Information Commissioner was not wrong to impose fines, he said, but society needed to think very carefully "if it means that somebody isn't going to get their operation, or somebody isn't going to have the access that they should have to health services".

The ICO has now responded to Fincken's comments