The Information Commissioner’s Office has urged organisations to consider privacy before developing new IT systems or changing the way they handle personal information.
The call was made as the ICO issued the latest version of its Privacy Impact Assessment handbook, and days after yet another NHS trust was rapped for breaching data protection rules.
Salford Healthcare NHS Foundation Trust has become the 15th organisation in six months to be asked to sign a formal declaration to abide by the Data Protection Act after it admitted the theft of a computer holding sensitive information on 3,500 patients.
The computer had not been secured to a desk, individual applications were not password protected and the data in them was not encrypted in line with NHS policy.
The undertaking signed by the trust says that in future it will ensure that personal information is routinely held on secure network servers rather than laptops or desktops, and that any information that has to be held locally will be encrypted, protected by strong passwords and erased as soon as possible.
In a statement issued to support the Privacy Impact Assessment handbook, the ICO argues that organisations should build in security from the outset, instead of trying to add it to systems that are already in place.
The handbook is a guide to conducting privacy impact assessments, which the ICO says can help organisations to identify and manage risks, avoid “the introduction of inadequate solutions late in a scheme’s development”, avoid costs and gain valuable input from stakeholders.
Jonathan Bamford, assistant information commissioner said: “It is essential that before introducing new systems and technologies, which could accelerate the growth of a surveillance society, full consideration is given to the impact on individuals and that safeguards are in place to minimise intrusion.”
Link: The handbook and the details of Salford’s undertaking are on the ICO website.