The ICO brands health sector data security issues as "systemic"

Updated August 2011

Following five recent data protection breaches by health organisations involving the disclosure of sensitive personal information, the Information Commissioner has described data security within the health sector as a "systemic problem".

What happened?

In February 2011, Ipswich Hospital NHS Trust misplaced 29 patient records after an employee took them offsite to update a training log. In a separate incident, Dunelm Medical Practice in Durham sent discharge letters about two patient's operations to the incorrect recipient. It has also been reported that the Information Commissioner's Office (ICO) is currently investigating a massive data breach by NHS North Central London, which may result in a significant fine. Apparently the sensitive data of over 8 million individuals was lost on an unencrypted laptop which was left in a storeroom of a research company that was carrying out work on behalf of NHS North Central London. Further data security breaches were committed by three other NHS trusts.

The ICO concedes that there is scope for human error due to the sheer volume of records regularly accessed within the NHS. However, the ICO also maintains that of all sectors in the UK, the health sector holds some of the most sensitive personal information and more needs to be done to keep patients' personal information secure.
The ICO notes that whilst adequate policies may have been established, these policies are not, in some cases, being implemented on the ground.

Comment

This latest warning is in line with the ICO's recent decisions in relation to breaches involving the disclosure of sensitive personal information. We recommend that all organisations handling sensitive personal information review their data protection procedures and consider whether further staff training is required to ensure that sensitive personal information is held and transmitted securely and that the appropriate policies and procedures are being implemented and followed on a day-to-day basis.

If you require any assistance in relation to data protection matters, please contact Alison Deighton.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.