Out-Law News 2 min. read
04 Jul 2011, 2:19 pm
The Information Commissioner's Office (ICO) said that there are "systemic" problems with how health service workers practically observe health bodies' data protection policies.
The ICO urged health bodies to improve the security of personal information as it announced that five health organisations had lost information about patients.
Under the requirements of the Data Protection Act, UK organisations must ensure that personal data they hold about people is secure.
"The policies and procedures may already be in place but the fact is that they are not being followed on the ground," Christopher Graham, Information Commissioner, said in a statement (4-page /31KB PDF).
"Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number," Graham said.
"The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. Complying with the law needn’t be a day-to-day burden if effective measures are built in and then become second nature," Graham said.
Graham said the ICO was working with NHS computer system developers, Connecting for Health, to help tackle the problem.
The ICO said that a member of staff at Ipswich Hospital NHS Trust left 29 patient records in a public place after deciding to take them home. The employee was new to the Trust and had not received proper training, the ICO said.
Dunelm Medical Practice in Durham sent two patient discharge letters by fax to the wrong organisation, the ICO said. Dunelm's fax-sending procedures were not properly followed and the incorrect number was entered into the fax machine, the ICO said.
An engineering company was wrongly sent a fax by the East Midlands Ambulance Service NHS Trust about a vulnerable adult, the ICO said. The company received a form containing the name, address, date of birth and concerns about the patient's mental state, the ICO said.
Basildon and Thurrock University Hospitals NHS Foundation Trust wrongly sent at least ten faxes to a member of public between March 2009 and July 2010, the ICO said. In the most recent fax sensitive personal data about a cancer patient intended for the patient's doctor had been sent to the wrong address, the ICO said.
Lancashire Teaching Hospitals NHS Foundation Trust also wrongly sent patient information by fax to a member of the public, the ICO said. The information had been intended for the patients' doctors, it said.
All five health bodies signed undertakings to carry out training to improve how staff should secure personal data, the ICO said.
The undertakings also detailed commitments by the Ipswich Trust to improve security around patient data when it is taken off premises and outlined promises made by the other health bodies on how to better communicate sensitive information.
