NHS Staff breach personal data 806 times in three years.

November 7, 2011 Leave a comment

NHS staff breach personal data 806 times in three years

One in eight breaches reported by health service organisations resulted in staff dismissal.

Figures released to the privacy campaign group Big Brother Watch show that 806 separate incidents involving patient medical records being compromised took place at 152 NHS trusts between July 2008 and July 2011.

The group, which obtained data from the majority of NHS organisations in the UK, found that breaches included 23 incidents of patient information being posted on social networking sites by staff, 129 separate instances of NHS employees looking up details of colleagues and family members and 57 incidents involving unsecured confidential information being stolen or lost by staff.

Of the 129 incidents concerning healthcare staff inappropriately looking up patient information, 91 related to an NHS employee illicitly viewing the confidential medical details of a colleague. In some cases the individual was found to have revealed the information to other staff.

The 23 incidents relating to breaches involving social media shows that 11 trusts released details of such incidents, in which 13 medical personnel were involved. One of the cases resulted in the dismissal of the employee. Over the last three years 102 health service employees have been dismissed for breaching data protection.

Nick Pickles, director of Big Brother Watch, said: “This research highlights how the NHS is simply not doing enough to ensure confidential patient information is protected.

“The information held in medical records is of huge personal significance and for details to be disclosed, maliciously accessed or lost and these cases represents serious infringements on patient privacy.”

The group obtained the data through freedom of information requests sent to 428 trusts in EnglandScotlandWales and Northern Ireland. It received responses from 354 trusts, with 55 providing partial responses and 74 not replying.

Commenting on the findings, health minister Simon Burns said: “It is completely unacceptable for staff with no involvement in providing or supporting care to access confidential patient information. Patients have a right to expect that their personal medical information is kept private.

“We have issued clear standards and guidance to the NHS about what needs to be done to keep patient records secure and confidential. Individual NHS organisations are responsible for ensuring their staff understand and follow that guidance. Any member of staff discovered intentionally breaching this should be subject to appropriate disciplinary action.”

The group’s findings follow the justice committee’s recent backing for the Information Commissioner’s Office (ICO) to gain more powers. A report by the committee said that the ICO should have the power to issue custodial sentences for breaches of the Data Protection Act. At present it can only issue fines to organisations which breach the act. Its report also said that the privacy watchdog has limited powers to prevent data protection breaches, particularly in the healthcare sector.

This article is published by Guardian Professional. Join the Guardian Healthcare Network to receive regular emails on NHS innovation.

Categories: Uncategorized

The DPA more than an Act, it’s a way of life

November 2, 2011 Leave a comment

As you are no doubt aware, the Information Commissioners Office (ICO) has a number of regulatory actions it can use to ensure compliance with the Data Protection Act (DPA), not least of which are its powers to serve monetary penalty notices of up to £500,000 for serious contraventions of the data protection principles.  But now there is renewed activity in the arena of providing more ‘new teeth’ to the Commissioner that could see compulsory audits across all sectors, not just central government.

At the 10th annual data protection compliance conference in London on 13th October, the Information Commissioner, Christopher Graham stated that “Compulsory audit powers are needed for local government, the NHS and the private sector” and “the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.”  Currently the ICO can only conduct compulsory audits on central government departments, but there have been well publicised cases where breaches have occurred in other organisations that may have been prevented had the ICO been able to audit them.

As I write this, the Commissioner is preparing a business case that will change the law and provide an extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act of 2009.  Unlike, what the ICO like to term the “good practice” consensual audits, a compulsory audit is conducted following the issuing of an assessment notice.  These notices are used in circumstances where there is a risk that individuals’ data will be compromised, but the organisation is unwilling, for whatever reason, to engage constructively with the ICO.

Given that this change in legislation will give the ICO additional powers to inspect the aforementioned organisations, I wonder whether all data controllers are ready and have their house in order so they can demonstrate to the ICO that they are complying with the Data Protection Act principles and so avoid an assessment notice.  Some of the initial drivers that would lead the ICO to consider using its formal regulatory powers are firms carrying out the following types of conduct, so I suggest that your data controllers at least check these areas:

  • repeated failure to take adequate security measures;
  • collecting and retaining detailed or sensitive personal information on a ‘just in case’ basis;
  • seriously intrusive marketing, for example repeated failure to observe the customers telephone preference service requirements;
  • failure to notify, despite receiving reminders from the ICO; and
  • denial of subject access where it is reasonable to suppose significant information is held.

The ICO does not have to seek the consent of the data controller to undertake this assessment, and the organisation will be required by law to take certain action such as:

  • permitting the Commissioner to enter any specified premises and observe the processing of any personal data that takes place;
  • allowing the Commissioner access to documents, equipment or other material on the premises and provide copies if requested by the commissioner; and
  • making available for interview by the Commissioner persons who process personal data on behalf of the data controller.

In my opinion, these powers, once granted to the ICO, would mean that the ICO’s ‘good practice consensual audit’ may manifest itself into a regulatory tool and for those organisations failing the audit further sanctions could be applied.

Is data and information security embedded into your organisation, is it part of your way of life?  If not then you could become a victim of the Commissioners new regulatory ‘teeth’.

AMANDA HARTSHORNE      www.finextra.com

Categories: Uncategorized

ICO Repeats Data Encryption Guidance

October 28, 2011 Leave a comment

ICO Repeats Data Encryption Guidance

24 October 2011

The Information Commissioner’s Office (ICO) has repeated its guidance that organisations that handle personal data must encrypt that information if its loss would cause distress or damage. The ICO’s advice is given with reference to the Data Protection Act, which states that appropriate technical and organisational measures must be taken to protect personal data. The ICO issued a statement following the loss of laptops by two separate organisations containing unencrypted personal data.

Data encryption is a relatively straightforward process and a variety of programs are available on numerous platforms; many of them free open-source projects. Most encryption programs are easy to use, although the largest obstacle to adoption of this security measure appears to be awareness amongst staff of both the use of encryption and its importance in relation to data protection.

Organisations would benefit from holding staff training sessions where they are able to raise awareness of data protection issues. Most employees undoubtedly have a good understanding of the principle of confidentiality and why it is important, although information about the difference between data, personal data and sensitive personal data could benefit an organisation by making its employees think twice before handling it.

The ICO offers a range of free literature for individuals and organisations on its website and many organisations would do well to take advantage of this. Members of staff who handle personal data and sensitive personal data should also be required to attend training on data encryption and to use it as part of their data processing duties.

Lawdit understands the importance of good data protection practices and we believe it is vital that every organisation should have procedures and safeguards in place to protect against data loss. Please contact us for a free discussion if you have any data protection questions or concerns and a member of our team will be pleased to offer you the help and advice you’re after.

By Aasim Durrani. Aasim is a legal assistant to Izaz Ali (izaz.ali@lawdit.co.uk) and can be contacted on aasim.durrani@lawdit.co.uk

Categories: Uncategorized

DataSafe Storage Ltd Newsletter

October 27, 2011 Leave a comment

The Information Digest

Categories: Uncategorized

Are Your Health Records at Risk ?

October 26, 2011 Leave a comment

Last week I read a disturbing headline, “Patients put off treatment due to NHS data breaches,” and was rendered slack-jawed. The UK’s National Health Service, has according to the UK’s Information Commissioner’s Office suffered regular data breaches resulting in the loss or mishandling of millions of patient records in 2011. Before we sigh in relief as to how it isn’t the U.S. being discussed, know the UK isn’t alone in the loss of Personal Health Information (PHI), as throughout the U.S., hospitals and care-givers are losing patient PHI on a far too regular basis. As I discussed in my piece, “Patient Data: The Crown Jewels” in the first half of 2011, more than five million (5,000,000) PHI records were lost or mishandled in the U.S., 100 percent of which were preventable. Meanwhile, in just the last month, we read in SC Magazine’s Data Breach Blog how a Delaware pediatric health facility lost data on 1.6 million patients. Then we learned of the astounding loss of approximately five million PHI records of Tricare patients, and we soon arrive at the very worrisome realization; the total is well beyond 11 million PHI records compromised thus far in 2011.

So should we be concerned when more than 3.5 percent of the entire U.S. population has had their PHI compromised? Yes.

A SailPoint Market Plus Survey conducted by Harris Interactive released in September 2011 is instructive and should serve as a barometer of sentiment to the medical profession:
29 percent of Americans, 26 percent of Britons and 26 percent of Australians expressed concern their PHI may be exposed on the internet.

35 percent of Americans, 33 percent of Britons and 37 percent of Australians expressed concern their PHI may be used for identity theft

10 percent of Americans, 14 percent of Britons and 11 percent of Australians expressed concern their PHI would be accessed by staff members not directly related to their medical care.
As the NHS survey in the UK indicates, patients will put off seeking treatment, as they are concerned about the unintended consequences suffered when their PHI may become compromised. This should never be the case.

Notified individuals are now, on medical identity theft alert, and will be for the remainder of their lives. They will need to watch for the exploitation of their PHI and mindful of the very real potential that if their PHI is exploited and used, that their PHI may become corrupted. Healthcare providers will have to take additional steps to ensure that the person they are treating is the person whose records are being referenced.

On the financial side of the equation, there is the breach notification cost which will be borne by the party who lost your PHI. According to the Ponemen Institute, the ultimate cost for each compromised record has reached 214, while the overall organizational average cost in the U.S. at 7.2 million per incident. Oftentimes the individual whose record has been compromised will be afforded credit monitoring services for 90-days. In my opinion, it should be for life, vice 90-days. Why? Your personal identifying information (PII) contained within your PHI has a shelf-life equal to your physical life, not 90 days.

Have we now arrived at the point in obtaining medical care that in addition to looking into the medical practitioner’s experience, confirm that they are compliant with HIPAA, that we now must review their data handling policies both electronic and physical in choosing a health care provider?

Welcome your thoughts and comments.

For additional reading:
Patients put off treatment due to NHS breaches (13 October 2011)
Ponemon: Cost of a data breach climbs higher (8 March 2011)
SC Magazine: Data breach log (11 October 2011)
SailPoint Survey Highlights Consumer Fear Over Stolen Personal or Financial Information (20 September 2011)

By Christopher Burgess at HuffPost

Categories: Uncategorized

UK Customers ‘are not confident about data protection’

October 25, 2011 Leave a comment

Customers ‘are not confident about data protection’

A high number of individuals have expressed their concern about the security of their personal information when they give confidential data to UK businesses, the results of a new study have revealed.

Research carried out to mark the launch of National Identity Fraud Protection Week and commissioned by Fellowes highlighted 96 per cent of customers were not confident firms were taking enough action to protect them against security risks and fraud.

In addition, analysts discovered just 52 pet cent of businesses have policies in place to protect the identity of individuals that have presented their personal details.

Andrea Davies, president of Fellowes Europe, said: “Clearly, if almost half of people would avoid a company that has suffered an information breach, it is really in a business’ commercial interests to be vigilant about fraud.”

The findings reflect an overall downturn in consumer confidence and highlights the importance of ensuring data is stored in the correct manner for companies, which is often carried out with the introduction of clear, concise security strategies.

In addition, many employees suggested a change to operations to ensure information can remain protected after 50 per cent argued that sensitive information could be obtained from company computers.

A growth to the number of people taking part in remote working is also making employees more vulnerable to identity theft outside the office. Fellowes researchers found 39 per cent of these do not shred private documents and fail to carry out workplace measures in their home.

“It is essential to treat documents responsibly wherever you are … Document safety polices need to extend to all areas of work, wherever that work may take place,” Ms Davies added.

The findings emerge after Steve Hughes, principal cloud computing specialist at Colt, expressed his wishes for the EU efforts for data privacy would rationalise information protection requirements across Europe.

Posted by Phil Williams

Courtesy of  Hostway Global Web Solutions

Categories: Uncategorized

Information commissioner calls for compulsory audits

October 24, 2011 Leave a comment

Information commissioner calls for compulsory audits

Data protection audits must be compulsory in NHS and local government, says information watchdog Christopher Graham

Christopher Graham, the information commissioner, has said that data protection audits must be compulsory in local government and the healthservice to ensure compliance with the law.


His call came as figures showed that ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.


Currently, the watchdog’s only compulsory data protection audit powers are for government departments, but data breaches in the NHS continue to be a major problem.


The ICO said that of the 47 undertakings it has agreed with organisations that have breached the Data Protection Act since April, more than 40% (19) were in the NHS.


The most serious personal data breaches resulting in fines have occurred in local government. Four of the six penalties served so far involved local authorities.


However, the private sector generates the most data protection complaints and only 19% of companies contacted by the ICO accepted the offer of undergoing an audit. Graham wants the compulsory powers to extend to the private sector.


“Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices,” he said.


“Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on.”


This article is published by Guardian Professional. For updates on public sector IT, join the Government Computing Network here.

Categories: Uncategorized
%d bloggers like this: