ICO acts on NHS info governance

The Information Commissioner’s Office has required two NHS organisations to sign undertakings to comply with the Data Protection Act after they lost sensitive patient information.

University Hospital of South Manchester NHS Foundation Trust and the London Ambulance Service were asked to sign undertakings after a medical student and a contractor lost patient details on an unencrypted USB stick and a laptop that was stolen from their home, respectively.

News of the latest data losses in the NHS emerged a day after the Department of Health and the ICO sent a letter to the chief executives of strategic health authorities, primary care trusts and NHS trusts, advising them of the need to maintain good information governance as the health service is reorganised.

“Incidents of data loss continue to occur and in some cases these are both significant and clearly in breach of national guidelines – for example encryption of mobile devices,” says the letter sent on Monday.

“While we have to accept that some incidents will always occur, it is not acceptable where adherence to national policies would have prevented the breach.”

The letter says all NHS organisations should make sure there is a board level individual in place to act as senior information risk owner, and use the NHS Information Governance Toolkit.

It also says they should continue to make sure staff continue to undertake appropriate training annually and that staff are made "continuously" aware of data protection policies.

It says that PCT clusters will be asked to conduct and publish an assessment of information governance in their constituent PCTs by the end of March next year.

It further advises NHS organisations to ask the ICO to carry out data protection audits, which it can if it is invited to do so.

The letter, signed by information commissioner Christopher Graham and NHS chief executive Sir David Nicholson, says “information is at the heart of major reforms to health and social care” and the ICO and the DH want to make sure “good information governance enables the improvements these reforms will bring for patients.”

On the other hand, it warns that “when, despite our efforts, data protection obligations are not met, the ICO will exercise enhanced powers to take whatever action is appropriate.”

In the latest data loss cases, a medical student who had been on placement at University of South Manchester’s burns unit copied the data of 87 patients onto a personal, USB stick for research and then lost it.

The trust had assumed the student had received data protection training as part of their course, and did not give them induction or training in this area. Ironically, it provided the student with an encrypted memory stick to conduct an audit.

But when the student came to the end of their placement, they copied the data from the trust’s stick to their own stick, which was subsequently lost.

The trust had now undertaken to provide students with appropriate induction, to make students aware of its policies for storing and using personal data, to train them in following that policy, and to monitor compliance.

In the second case, a laptop was stolen from the home of a member of London Ambulance Service staff that contained personal data relating to people who needed patient transport services.

The ICO found the member of staff concerned had legitimate access to the records, but had emailed them to a personal account in breach of trust policy and then downloaded the information onto a personal, unencrypted laptop so they could work from home.

The trust has also agreed to make staff and agencies aware of its policies on data and to make sure they are trained in following them.

“In particular,” the undertaking says, “the trust will reiterate the message that sensitive personal data is not to be circulated to staff or agency workers’ personal email accounts under any circumstances.”