'NHS could face more data breach fines'
29 October 2012
More data breach fines will be issued to NHS bodies if they continue to fail in meeting their legal obligations, the Information Commissioner's Office has warned.
The comments came as it emerged that information on at least 1.8 million patients had been put at risk by NHS bodies within a year.
The figure, which was confirmed to Publicservice.co.uk as being accurate by an ICO spokesman, was collated by the Daily Mail
newspaper from the ICO's list of civil monetary penalties.
According to the newspaper, the current data loss rate in the health service equates to 5,000 patient records a day.
Several NHS bodies have been hit with significant fines in recent months, the highest at Brighton and Sussex University Hospitals NHS Trust
, which paid a total of £260,000
for early payment – a 20 per cent reduction on its £325,000 fine.
Other parts of the health service have also been fined taking the total to nearly £1m.
"The health service holds some of the most sensitive personal information available, so it's vitally important that patients' information is being kept secure," an ICO spokesman said.
"If that doesn't happen, and the legal obligations of the Data Protection Act aren't met, we'll issue monetary penalties. That money goes back to the Treasury's Consolidated Fund."
Data breach fines can reach up to £500,000. Concerns have arisen that fines on the health service will impact on patient care. Christopher Fincken
, an influential health care confidentiality expert, has warned that "innocent" patients will lose out.
But the ICO has argued monetary penalties do "discourage others
from making the same data protection mistakes".
It is also pushing for compulsory audit powers
"Our concern isn't just that the right procedures are in place, but that there's a culture among staff whereby everyone takes their responsibilities seriously, and effective data handling becomes second nature," a spokesman said.
"For that reason, we're calling for powers to conduct compulsory audits in both the NHS and local government sectors."
This will not be the last time we read about NHS information loss. Laptop security, lost devices & paper work get all the headlines, but there is a greater disaster waiting to happen. What if a hospital's systems went down? Would they be able to recall their data? And would they be able to continue to provide care to the patients if they couldn't? A recent BridgeHead survey targeting UK and US hospitals showed that 64% of healthcare providers had a disaster recovery strategy in place, but over 25% had failed to test it, and 75% agreed their intended objectives for data back up were not being met. In the face of unstoppable data growth, it's becoming a serious challenge for hospitals to effectively store, protect and share data. So, whilst we read about tablets left in cabs, and the like, I cannot help but wonder about the 'sleeping giant' that is data management in the NHS.
Jim Beagle, CEO BridgeHead Software - Adshead, UK