Share

Related Links

Top 5 Stories

News

NHS needs a security czar to prevent continuous data walkabout

18 April 2012

While the South London Healthcare NHS Trust signs a Data Protection Undertaking, the security industry wonders why we have learnt nothing in the last two years – and calls for a new NHS data protection czar.

“The Information Commissioner (the “Commissioner”) was informed by the data controller of the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. Each of these incidents involved sensitive personal data relating to patients,” explains the Undertaking.

“What saddens me most of all,” says Grant Taylor, UK VP with Cryptzone, “is that some of the data that went walkabout as a result of these USB sticks being unencrypted involved the records of children - as well as maternity patients. These are precisely the members of society whose interests we should be looking out for, as the kids almost certainly cannot look out for their own data,” he said.

Some will wonder whether the severity of ICO punishments is behind this failure to learn. In this instance, the South London NHS Trust has simply had to undertake to do better in future ‘in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice.’ No fine, no enforcement, just a promise.

Taylor thinks it is all so unnecessary. Where an organization (the NHS) employs around 2.8% of the adult population of the country, it is not realistic to expect every employee to understand the need for personal data security, nor the means by which it can be ensured. This means, suggests Taylor, that it is important for patient data to be encrypted at source – and then highly controlled access to that data be granted only on a record-by-record basis.

“Coupled with suitable training and ensuring staff really understand what is both right and wrong when it comes to handling patient information,” he says, “this approach would allow clinical, nursing and administrative staff within an NHS environment access to patient information when they need it, but block access – such as when a member of staff tries to download the data from home – in inappropriate circumstances.

“These two incidents – when taken against the ongoing backdrop of a constant stream of NHS data losses and breaches – also show why the government needs to appoint an NHS data protection czar, with the specific aim of liaising with the ICO and helping the many NHS trusts get a better grip on their levels of data encryption and protection,” said Taylor.

This article is featured in:
Compliance and Policy  •  Data Loss  •  Identity and Access Management  •  Public Sector  •  Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×