Data Security – Is it part of the culture of your organisation?

Sarah Al-Talib and Chris Alderson describe recent action taken by the Information Commissioners Office against NHS bodies guilty of breaches of the Data Protection Act and identify how the landscape is changing when breaches occur.  The ICO will not, it seems, hesitate to impose significant fines on NHS bodies where breaches are identified.

One case concerned a medical student who was involved in an audit within the burns and plastics department. The Trust provided the student with an encrypted memory stick which contained sensitive personal data relating to the treatment of 87 patients. When the student completed her placement, she was asked to continue the research. The student copied the data from the encrypted stick to a personal, unencrypted memory stick which was then lost.

It was discovered during the ICO’s investigation that the Trust had not provided induction or training in data protection to the student as it had wrongly assumed that this had been provided to the student at medical school.

The Information Commissioner decided not to serve an enforcement notice in light of the remedial action taken by the Trust. The Trust gave an undertaking to ensure that students are provided with appropriate data protection inductions and training, staff and students are made aware of the policies in place for the storage and use of persona data and that access to personal data for non clinical purposes is appropriately and regularly monitored to ensure that its use complies with data protection policies.

The Acting Head of Enforcement, Sally Anne Poole said;

“This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature… NHS bodies have a duty to make sure their staff- both permanent and temporary- understand their responsibilities on day one in the job.”

In another recent case, an undertaking was signed by an Ambulance Service after a laptop containing the contact details of 2,664 service users was stolen from a contractor’s home. The Trust undertook to make contractors aware of its data protection policies which provide that staff should not store information relating to patients on their personal computers.

Another Trust was investigated by the ICO after a CD containing the personal information of 1.6 million people was lost when the cabinet it was stored in was sent to a landfill site during an office move. The CD contained details including individuals address, date of birth, NHS number and GP practice code. The Trust signed an undertaking that clear policies and procedures would be implemented to support staff with office moves and that these would be communicated to the relevant staff along with the provision of information governance training to relevant staff.

The emphasis on data protection being ‘second nature’ was highlighted earlier this year by the Information Commissioner, Christopher Graham, who said that the health service needs to do more to keep patients’ personal information secure.

Along with that warning, which came in July, the ICO published guidance for health organisations detailing their obligations in relation to data security.

Christopher Graham further added;

“The policies and procedures may already be in place but the fact is that they are not being followed on the ground. Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number. The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. Complying with the law needn’t be a day-to-day burden if effective measures are built in and then become second nature.”

In other words, the ICO is expecting data controllers to do much more than demonstrate the steps taken to raise awareness of data security issues – in the event of any complaint or data security breach, the ICO will be looking at how engaged all staff are with data security issues. Organisations will be expected to show that data security is regarded as a task for all staff – not just the specialists in information governance/IT departments. 

The consequences of getting this wrong can be serious for an organisation.  While no monetary penalties were imposed in the cases discussed above, it is only a matter of time before a significant financial penalty is imposed upon an NHS body.  Last month the ‘Dear Colleague’ letter from the NHS Chief Executive and the Information Commissioner to all Chief Executives within the NHS highlighted the ICO’s powers to impose monetary penalties of £500,000 for serious data security breaches.  This was intended as a clear warning to NHS bodies that in the future the ICO will be using this power.  NHS bodies cannot expect to escape significant financial penalties simply because these funds would otherwise have been used to provide patient care.

It is therefore incumbent on all NHS bodies to ensure that they engage with the need for data security at all levels, from Board level right through to frontline staff.  The consequences for getting it wrong could be a six-figure penalty.  The recent cases demonstrate that there continue to be elementary failures in data security – are you confident that your organisation would not make the same mistakes?