“The Information Commissioner (the “Commissioner”) was informed by the data controller of the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. Each of these incidents involved sensitive personal data relating to patients,” explains the Undertaking.
“What saddens me most of all,” says Grant Taylor, UK VP with Cryptzone, “is that some of the data that went walkabout as a result of these USB sticks being unencrypted involved the records of children - as well as maternity patients. These are precisely the members of society whose interests we should be looking out for, as the kids almost certainly cannot look out for their own data,” he said.
Some will wonder whether the severity of ICO punishments is behind this failure to learn. In this instance, the South London NHS Trust has simply had to undertake to do better in future ‘in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice.’ No fine, no enforcement, just a promise.
Taylor thinks it is all so unnecessary. Where an organization (the NHS) employs around 2.8% of the adult population of the country, it is not realistic to expect every employee to understand the need for personal data security, nor the means by which it can be ensured. This means, suggests Taylor, that it is important for patient data to be encrypted at source – and then highly controlled access to that data be granted only on a record-by-record basis.
“Coupled with suitable training and ensuring staff really understand what is both right and wrong when it comes to handling patient information,” he says, “this approach would allow clinical, nursing and administrative staff within an NHS environment access to patient information when they need it, but block access – such as when a member of staff tries to download the data from home – in inappropriate circumstances.
“These two incidents – when taken against the ongoing backdrop of a constant stream of NHS data losses and breaches – also show why the government needs to appoint an NHS data protection czar, with the specific aim of liaising with the ICO and helping the many NHS trusts get a better grip on their levels of data encryption and protection,” said Taylor.