Data watchdog reminds healthcare organisations about security

Healthcare organisations have been given a strong reminder from the Information Commissioner’s Office (ICO) of the importance of keeping patient data secure, following reports of a data breach at the private London Clinic.

The regulator warned that patient data is highly sensitive information that must be handled with care: ‘When accessing healthcare and other vital services, people need to trust that their medical information is safe and only available to authorised employees.’

Yet the ICO’s own data reveals over 1,500 incidents are reported by the health sector each year. 

In the last 12 months, the regulator has also taken enforcement action against several healthcare organisations.

These include NHS Fife after an unauthorised person was able to enter a ward and access the personal information of 14 patients.

The ICO said healthcare organisations should ensure:

Staff are thoroughly trained 

Organisations should have data protection training in place that is role-specific, tailored and relevant to the tasks being completed. 

Staff should feel confident in handling people’s personal information safely and securely. It must be clear to staff about what records they are allowed to access.

Appropriate technical measures are in place 

Appropriate measures, such as passwords and access controls, should be in place to ensure personal information can only be seen by people who need to use it.

Staff are clear on the data breach reporting process 

An organisation must report misuse of personal data to the ICO if there is a risk to people’s rights and freedoms, which is often the case with sensitive medical information. This must be reported within 72 hours of becoming aware of the breach. 

Stephen Bonner, deputy commissioner for regulatory supervision at the ICO, said: ‘We know people across the UK may be questioning how safe and secure medical records may be following reports of a data breach at the London Clinic.

‘When we’re in the care of healthcare providers, we need to be able to freely share our personal and sensitive data – it’s often essential to ensure we receive the care and support we need. As new technologies come into use in our healthcare system, our data will become even more important.

‘This underlines the need to ensure this information is treated with the utmost care and security. Every patient, no matter who they are, has the right to privacy.’

Further guidance for organisations can be found on the ICO website.