A leading privacy watchdog has called for tougher penalties for breaches of the Data Protection Act, arguing that present legislation is not enough of a deterrent.
Big Brother Watch says courts should be given the option of imposing custodial sentences on those who breach the act, and that the “worst offenders” should be left with a criminal record.
It also argues that staff should be given better training in a report that identifies 7,255 breaches of the DPA in the NHS over three years.
Emma Carr, director of Big Brother Watch, said: “With an increasing number of people having access to patient information, the threat of data breaches will only get worse.
“Urgent action is therefore needed to make sure that medical records are kept safe and the worst data breaches are taken seriously.”
Privacy campaigners have been calling for tougher laws for those who illegally access confidential information for almost a decade.
In 2006, the then-information commissioner, Richard Thomas, issued a report called ‘What Price Privacy?’, which said the advent of large, government IT systems – including those planned for the NHS – made it imperative to toughen and enforce the law.
The report identified two major problems – paying people to disclose information, and ‘blagging’ or impersonating someone to obtain information – which, it added, were often used by private investigators and journalists fishing for personal data.
As a result of the report, and lobbying by pressure groups, the Information Commissioner’s Office was given the power to impose fines on organisations of up to £500,000 for “serious” breaches of the DPA that caused “substantial” damage or distress.
The biggest fine imposed on the NHS to date was levied on Brighton and Sussex University Hospitals NHS Trust in 2012. It was fined £325,000 and paid £260,000 after a contractor sold old hard drives containing patient information on eBay.
Despite this, the latest Big Brother Watch report says “the current level of sanctions for serious data breaches does not deter individuals who are intent on breaking the law” or make it possible to “effectively punish individuals that knowingly flout the rules by accessing, and in some cases selling, personal information to third parties.”
“It is not acceptable that, at present, individuals who carry out serious data breaches cannot receive a criminal record,” it argues. “The failure could result in the same offence re-occurring at a different organisation after an individual has resigned or been dismissed, having been caught.”
The pressure group says there have been at least 7,255 data breaches since 2011, or the equivalent of 2,418 a year, 201 a month, 46 a week, and six a day.
The breaches include instances of data being inappropriately posted on social media, as well as theft and loss, inappropriate use of IT systems, misplaced letters, faxes and emails, and unauthorised sharing with third parties.
Big Brother Watch says the sheer range of problems indicates a need for much better training for staff. It also says there is a need for better and more consistent reporting of breaches.
The list included in the report suggests that trusts have widely divergent reporting practices, with some reporting no breaches, others reporting dozens of apparently minor breaches, such as information being left on printers or in recycling boxes, and others refusing to disclose details.
The National Information Board’s IT strategy, published last week, says a number of measures will be taken to strengthen public trust in the use of data and information.
‘Personalised Health and Care 2020’ says the new national data guardian, Dame Fiona Caldicott, will review data handling by the care system, and move to enable the public to see an audit trail of who has handled their data and why.
It also says Dame Fiona will “consider any sanctions… that should be brought to bear on those who misuse personal health and care information.” However, this stops short of endorsing the call for criminal sanctions.