The Information Commissioner has written to the permanent secretary of the Department of Health demanding immediate improvements to the lax treatment of personal data within the NHS.
The demand for urgent action by Information Commissioner, Richard Thomas, comes in the wake of a string of recent incidents where the institute has been forced to take action against 14 NHS organisations for breaching data regulations.
According to the Information Commissioner’s Office between January and April this year, 140 security breaches were reported within the NHS – more than the total number from inside central Government and all local authorities combined.
E-Health Insider has reported many of the breaches, including Camden Primary Care Trust, which dumped computers containing medical notes of 2,500 patients in a skip near St Pancras Hospital.
Other incidents reported by EHI and EHI Primary Care have included a GP who downloaded a complete patient database, including the medical histories of 10,000 people, on to an unsecured laptop that was subsequently stolen.
In another incident breach, a memory stick containing the medical histories of 6,360 prison patients and ex-inmates of Preston prison was lost. Though the data was encrypted, the password was written on a Post-It note that was attached to the device.
In an interview with the Independent newspaper Mick Gorrill, the assistant Information Commissioner in charge of enforcement, said the sheer number of data losses within the NHS had become a cause of "great concern".
"Medical history is very sensitive personal data, which is likely to cause harm or distress. The law dictates they must keep this information confidential, but the NHS is by far the biggest offender within the public sector," said Mr Gorrill.
The Information Commissioner’s Office confirmed that it will carry out spot checks on NHS organisations that have already seriously breached the Data Protection Act.
A spokesperson for the ICO, said this is something that has been part of the ICO’s role for sometime, though it is not widely publicised as the watchdog needs to maintain the element of surprise before carrying out the checks.
The spokesperson said: “The Information Commissioner’s Office already carries out spot checks in the form of audits which are tailored to the area of concern, in this case data protection.
“Those who have already committed serious breaches of the act are spot checked regularly and if found to be breaching the Data Protection Act will be given guidance and information on preventative methods.
“Those who make serious or regular data breaches are likely to experience enforcement action.”
A spokesman for the Department of Health said that the permanent secretary Hugh Taylor would be responding to the Information Commissioner “in due course.”
The Information Commissioner’s Office also said that the new legislative powers that have been handed to the office to fine NHS bodies for “deliberately or recklessly” breaching the Data Protection Act would come into force by the end of the year.
Information Commissioner’s Office