Losing patient data may become a crime

The court should be able to prosecute doctors who have laptops containing unencrypted patient information stolen from their cars, according to the Information Commissioner’s Office (ICO).

The ICO has put forward proposals to the Ministry of Justice that will mean that it would be a criminal offence to “knowingly or recklessly” flout data protection rules with a potential fine of up to £5000.

David Smith, assistant information commissioner, outlined the CIO’s proposals when giving evidence last week to the Lords Constitution Committee inquiry on surveillance and data collection.

Smith told the Lords: “Say a doctor or hospital leaves a laptop containing patients’ records in his car it’s hard to say that’s anything but gross negligence.”

Lord Lyell or Markyate queried the proposals suggesting it was out of proportion to criminalise a GP for a single incident when it was necessary to carry laptops containing patient information as part of their daily work.

However Richard Thomas, Information Commissioner, told the Lords that the intention was to use the law proportionately and to target cases where, for example, encryption had not been used.

He added: “Frankly any doctor should be able to encrypt data. Our intention is not to criminalise a doctor for a single incident but where there has been gross negligence we need to have some sort of deterrent to make sure people understand the importance of safeguarding information.”

Current rules mean the ICO can only issue enforcement notices to organisations that break the data protection rules and only financial services organisations can be fined for breaches of the Data Protection Act. A spokesperson for the ICO told EHI Primary Care that the proposals changes to the law would apply to anyone who “knowingly and recklessly” breached the Data Protection Act.

She added: “The Information Commissioner gave the example of someone such as GP leaving a laptop with personal information in an area where it can be stolen but it would apply to all NHS health professionals and anyone else who knowingly and recklessly breached the Data Protection Act.”

Thomas also told the Lords Constitution Committee that he was delighted that the government was currently introducing legislation that would introduce criminal charges up to and including imprisonment for those who trade in personal data.

He said the Department of Health supported the ICO proposal for greater penalties as this would help secure the NHS Care Records Service.

He added: “95,000 people in the health service will have access to these health records and confidentiality and security around health records is a major concern. The Department of Health has supported our call for increased penalties and also wants to see guidance and training for their staff on the risks of being duped and consequences which would face anybody who improperly disclosed information.”

In other evidence Thomas questioned the government’s plans for a database of all children rather than just those known to be at risk, the need for which he said was clear.

He told the Lords: “We are more sceptical about the need to keep even basic information about all children for the vague basis of safeguarding their education and their health.”