Immediate NHS data security review ordered

NHS chief executive David Nicholson has written to all NHS trust chief executives instructing them to immediately review and tighten their information governance and data transfer arrangements.

The 4 December letter requires trusts to urgently re-examine the arrangements and policies local trusts have for securing data in transit. Trusts are told to urgently buy-in additional security expertise if they do not have it in-house already, and to check security arrangements for laptops, CDs and pen drives.

In his letter, Nicholson refers to “recent concerns about public sector”, though the NHS boss doesn’t mention last month’s loss of confidential data on all recipients of Child Benefit by HM Revenue and Customs by name. Instead it speaks of the need to focus on “the security of information between locations and organisations”.

Two recent reports by E-Health Insider and sister title EHI Primary Care have highlighted that some NHS organisations have a lot of work to do to improve information governnance. Sefton PCT this week confirmed it had sent details on 1,800 staff to organisations it declined to name. Last week EHI Primary Care report that Hastings and Rother PCT was sending patient records out using standard Royal Mail post.

The letter says: “No element of information governance, as provided in the information governance toolkit, should be neglected, but priority must be given to securing improvements in the in the security of data in transit.

In an checklist of immediate steps all NHS trust CEOs are instructed to “Check your systems and procedures, and deal with any shortfalls immediately”; “Check that your control on the movement of person identifiable data is good enough”; and to “not hold identifiable data on portable media unless it is encrypted”.

In addition, the letter tells trust chief executives: “Do not bulk transfer person identifiable data, unless it is absolutely needed for direct patient care, before you have sorted out your secure processes, and do this quickly.

As well as addressing the imemdiate priorities on data transfer and security trusts are directed to undertake a more detaield programme of work.

It states: “I am looking to each of you to assure yourselves and your Boards that the arrangements that apply in your organisations meet the policies and guidelines that have been provided in the past by the Department, and that there are robust procedures to ensure they are followed.

Nicholson’s letter concludes: “I would be grateful if you would give close attention to these issues to ensure that public confidence in the NHS’s protection of patient information is maintained.”