The NHS has been the source of almost a third of the data breaches reported to the Information Commissioner’s Office since 2007.
The NHS has been responsible for 305 of the 1,007 reported breaches. Two hundred and eighty eight have come from the private sector, 132 from local government and 18 from central government.
The figures suggest that the health service has a particular problem with the theft of devices holding personal data; emphasising the importance of encryption as the last defence for sensitive information.
The figures show that in the NHS, 116 data breaches were caused by stolen data and hardware. A further 87 were caused by lost data and hardware.
There were also 43 breaches from data disclosed in error, 17 breaches from information lost in transit, 17 from technical/procedural failure, 13 from non-secure disposal, and 12 from ‘other’ causes.
Reflecting on the milestone 1,000 data breaches reported to his office, David Smith, deputy information commissioner, said: “Extra vigilance is required so that people’s personal information does not end up in the wrong hands.
“Organisations should have clear security and disclosure procedures that staff can understand, properly implement these and ensure that they are being followed. Staff must be adequately trained not just in the value of personal information, but in how to protect it.”
The ICO has produced top tips and a guide to data protection to provide businesses and organisations with practical advice.
In April 2010, the ICO was given new powers to impose penalties of up to to £500,000 for breaches of the Data Protection Act.
Guidance issued by the ICO says it will only issue a monetary penalty notice if there has been a “serious” breach of the DPA, if the breach was likely to cause “substantial” damage or distress and if the breach was deliberate or the data controller failed to take "reasonable steps" to prevent it.
However, the guidance suggests that many NHS data breaches would fall foul of these rules. The ICO has yet to use its new powers, but Chris Pace, public sector specialist at Sophos predicted that it would.
“The news that over 1,000 organisations have already been reported to the ICO for mishandling data brings into sharp focus the need for organisations to behave more responsibly with sensitive information," he told E-Health Insider.
"Organisations can now be penalised for perceived recklessness and we believe this is a constructive step forward – ensuring protection against the most damaging breaches of the Data Protection Act.
"The ICO’s new powers to fine organisations for deliberate or reckless breaches of the Data Protection Principles should help to engender confidence in the general public."
Link: ICO announcement: 1,000 data breaches reported to the ICO. Includes links to the sources of the data breaches and ICO advice and guidance.