Data leaks in the NHS

Protecting your data

For any company and organisation, data leaks are a huge worry, especially when so much personal and business data is stored. But according to the Information Commissioner's Office (ICO), the most serious data breaches in the UK occurred with in the NHS.

Deputy commissioner David Smith told the Infosec security conference that a total of 287 breaches were reported, accounting for more than 30 percent of the total number of breaches.

The NHS, which employs 1.7 million people - the UK's largest employer, said that from the end of 2007, 113 incidents occurred due to stolen data or hardware, with a further 82 cases of lost data or hardware, Nursing Times reports.

Mr. Smith said the results could be skewed as not all private sector firms shared the public sector culture of reporting all breaches to the ICO.

Richard Vautrey, the deputy chair of the British Medical Association's GPs committee, said: "We need to keep their breaches in perspective."

He suggested the high proportion of breaches reflected the NHS's size, complexity and openness, and said it was important to allow people to opt out of having their data stored on national databases if they wanted to.

Digitising patient records

As part of its plans to digitise patient records, the NHS is asking patients if they want their data stored on national databases. It is important that people are given the chance to opt out, said Vautrey.

Currently the reporting procedure for data breaches in the UK is voluntary although the ICO is "moving towards" a compulsory system

Since April, the ICO has had the power to fine organisations up to GBP£500,000 for serious data breaches.

Encrypting data

One of the key recommendations the ICO makes in its advice to organisations on how they can ensure the safety of personal information held electronically is to encrypt. The ICO is looking at enforcing fines, in some cases, where data is lost and encryption hasn't been used.

Although the ICO's recommendations do relate to the safety of sensitive, personal information, and many people have such information on their systems, the need to encrypt applies equally to all companies and organisations that need to protect information which is sensitive for them and which needs protecting from both unauthorised internal users and from external threats, such as hacking orphishing.

For those of you who do hold sensitive personal information, encryption is absolutely essential, if you are to avoid the risk of fines. TheICO specifically warns about the danger of laptops being stolen or left unattended and says: "The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, enforcement action will be pursued."

The ICO recommends that all portable and mobile devices (e.g. laptops, memory sticks, magnetic media, etc.) used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software.

Jodie Humphries

Jodie Humphries graduated from Bath Spa University with a BA Hons in Creative Writing in 2008. She has worked for GDS Publishing for the digital group since July 2009. She has previous experience with writing for the web, running her own website since April 2007.

Related News:

A diplomatic approach to IT |Spinning the security web - IT Security |Issue 12 - IT Security |Meet the gatekeeper - IT Security

Like this article? Get the RSS feed: