Data protection breaches trigger stern warnings
Healthcare providers have been issued with stern warnings from the Information Commissioner’s Office (ICO) about the need for tighter data protection policies following two recent lapses.
In one case, a medical secretary illegally accessed 156 patient records, while in another, an unauthorised person was able to enter a hospital ward and access personal information of 14 patients.
Neither case was in the independent sector, but the ICO has appealed to every healthcare organisation to learn from the failings and conduct a security review.
The ICO reprimanded NHS Fife after an outsider accessed a ward and, ‘due to a lack of identification checks and formal processes’, was handed a document containing people’s personal information and assisted with administering care to one patient.
Data was taken off site by the person and has not been recovered. The hospital had CCTV installed, but the wall socket with the CCTV had been accidentally turned off by a staff member before the incident.
Police have been unable to identify the person or recover the lost data, hindered by the lack of CCTV footage.
The ICO said its investigation concluded that NHS Fife did not have appropriate security measures for personal information, as well as low staff training rates.
Hospital authorities have introduced new measures such as a system for documents containing patient data to be signed in and out, as well as updated identification processes.
ICO head of investigations Natasha Longson said: ‘Patient data is highly sensitive information that must be handled with the appropriate security. When accessing healthcare and other vital services, people need to trust that their data is secure and only available to authorised individuals.
‘Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to security checks and authorised access.’
Fined by magistrates
In the other case, a former NHS employee was ordered by magistrates to pay a total of £648 after being found guilty of illegally accessing medical records.
She worked as a medical secretary within the ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records.
In June 2019, a complaint was raised by a patient who was concerned that their medical records had been accessed by an employee and an investigation revealed the woman had accessed this individual’s records 33 times over a three-month period without consent or a business need.
It was also found that she had accessed a total of 156 patient records without consent or a business need, viewing them over 1,800 times within the three-month period. This included the records of family members and individuals with postcodes local to where she lived at the time.
The medical secretary was required to access clinical and personal information of patients within the ophthalmology department. But the individuals whose records were accessed had no medical conditions relating to ophthalmology.
She pleaded guilty to unlawfully obtaining personal data in breach of Section 170 of the Data Protection Act 2018.
ICO investigator Andy Curry said: ‘People should never have to think twice about whether their sensitive data, such as their medical records, is secure and in safe hands.
‘We want to remind those in positions of trust that just beecause your job may grant you access to other people’s personal information, that doesn’t mean you have the legal right to look at it for your own purposes.
‘This case shows that the ICO will take action when confidential personal records are accessed unlawfully. Curiosity is no excuse for breaching data protection laws.’