Its 2 years since I last
worked for the NHS. However, the same problems regarding information security seem
to be happening again and again. Not in my own backyard at the hospital where I
used to work, but all over the country. Although technological advances have
meant that we now have more sophisticated ways of communicating with the rest
of the world and with each other, simple information security seems to elude
us. It’s bad enough if you lose your own information, that it might be floating
in cyber space waiting to bite you on the arse when you’re least expecting it, but
what happens if it’s detailed medical information about you, or a member of
your family?
Having a quick trawl through
the Information Commissioner’s (ICO) website news releases is enough to give
you sleepless nights. As recently as July of this year the ICO fined NHS Surrey
the sum of £200,000 after 3,000 patient records were found on a second hand
computer, which unbelievable as it might seem, had been bought on an online
auction site. The information had been left on and sold by a data destruction
company employed by the Trust in 2010 to destroy the information that was on
there. The service was carried out by the company for free with an agreement
that once wiped, the company could sell on any salvaged materials. It was
brought to light when a member of the public bought a computer online and found
the details of thousands of patients on his hard drive. As well as sensitive
personal data and HR records, information pertaining to children as well as
adults was discovered. Since then NHS Surrey has reclaimed some of the
computers that were sold, however, many more are still out there with no way of
knowing which ones may still be holding personal sensitive information.
Back in February of this year
the Nursing and Midwifery Council were issued with a £150,000 penalty for
breaching the Data Protection Act. Three DVDs regarding a nurse’s misconduct
hearing and containing the personal information of two vulnerable children were
lost, when the ICO investigated it turned out the DVDs had not been encrypted,
which means anyone could access it. David Smith, Deputy Commissioner and
Director of Data Protection said:
“It would be nice to think that data breaches of this
type are rare, but we’re seeing incidents of personal data being mishandled
again and again.”
He went on to say:
“….they forget that personal data comes in many forms,
including audio and video images, all of which must be adequately protected.”
The council had been bringing
evidence to a hearing venue regarding a “fitness to practise” case; however,
the discs were not with the other evidence provided and have not been discovered
since.
David Smith continued:
“The Nursing and Midwifery Council’s underlying
failure to ensure these discs were encrypted placed sensitive personal
information at unnecessary risk.”
If even large scale organisations
such as the NHS are failing then what hope is there for the rest of us? Do you
run a business or company that holds personal information, not just on a laptop,
but on video, DVD, with images and are they adequately protected?
The eight principles of the Data Protection
Act are clear:-
•Fairly and lawfully
processed
If you have sensitive information in your possession then
only do what the law says you can do with it
•Processed for limited
purposes
There are limits as to what you can do with sensitive
information in your possession, use it only for the purposes for which it was
intended, nothing more.
•Adequate, relevant and not
excessive
Don’t collect reams and reams of personal sensitive
information in case it might come in handy for a rainy day, you create
situations where the information can be lost or stolen.
•Accurate and up to date
It must be up to date, no missing or incorrect
information about any personal information you may have on someone. If you’re
informed of any changes then modify your records as soon as possible.
•Not kept for longer than is
necessary
Your company or organisation should have a retention
or disposal schedule or policy on exactly how long you are going to store
records before destroying them CONFIDENTIALLY.
•Processed in line with your
rights
People have rights under the Data Protection Act 1998;
they can see the information when they want to, (unless there are exemptions),
if they want to inform you of changes, or want to inform you of incorrectly
held information, you must rectify it unless there is good reason not to.
•Secure
If you hold information that is both sensitive and
personal then it is up to you to keep it secure. YOU are responsible should
anything happen if the information is stolen or carelessly lost. You should
make sure that there are appropriate steps taken to protect information held
online or on paper. Try to work towards a clear desk policy for your staff and
always make sure that staff keep their passwords hidden and that they never write them down. Make sure that DVDs, memory sticks or any movable media is encrypted and password protected.
•Not transferred to other
countries without adequate protection
NEVER transfer sensitive personal information outside
of the EEA unless the ICO says they have adequate protection. The ICO has a
comprehensive list of countries within the European Economic Area that have adequate
data protection and countries outside the European Economic Area that do.
There is further guidance on
that here:
Next time: What happens if you disagree with a doctor's opinion, and you're unhappy with what he's written in your medical notes, can you ask to have it removed?
Gillian Jones is a freelance writer and copywriter with 10 years experience in the NHS. Further information is available at www.taith.net/
