NHS patient records warning from Information Commissioner

NHS patient records warning from Information Commissioner

ICO says culture change still required to ensure security

Article comments

The Information Commissioner’s Office has warned NHS trusts to take much more assertive steps to protect patient records.

The warning comes as ICO found five health organisations had seriously breached the Data Protection Act. Electronic patient records are being rolled out across the country, both within and outside the troubled £11.7 billion NHS National Programme for IT.

A recent Public Accounts Committee hearing into the programme saw officials at the Department of Health disclose that 800,000 clinicians are able to log in to the patient records systems within the National Programme alone - although the officials also gave a detailed defence of the security in place. The ICO is working with Connecting for Health, which is in charge of the NHS National Programme, to help guide trusts on security.

Five NHS trusts have been issued with ICO undertakings, all of which the data protection body said “relate to incidents where they failed to take appropriate steps to ensure that sensitive personal information was kept secure”.

Among the undertakings, East Midlands Ambulance Service NHS Trust lost an unencrypted memory stick containing sensitive personal data relating to a number of patients. Additionally, Dunelm Medical Practice in Durham sent out two patients’ electronic discharge letters, containing sensitive personal data, including medical information.

Procedures around paper records were also brought to light by ICO, after Basildon and Thurrock University Hospitals NHS Foundation Trust sent out a fax with personal patient data to the wrong recipient, Ipswich Hospital NHS Trust left 29 patient records in a public place, and Lancashire Teaching Hospitals NHS Foundation Trust faxed sensitive personal data to a member of the public on several occasions.

“The health service holds some of the most sensitive personal information of any sector in the UK,” said Information Commissioner Christopher Graham. “Millions of records are constantly being accessed and we appreciate that there will be occasions where human error occurs.”

He said there needed to be a “culture change” and added: “The policies and procedures may already be in place but the fact is that they are not being followed on the ground. Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number.”



  • Paul Wooding Recent statements from The Information Commissioner regarding the security of NHS patient records identifies further policy changes which will potentially result in more breaches in data laws by further complicating employee work processes We must remember that a large proportion of clinical data is still in paper format as a consequence of consistent under investment in robust and reliable technology which could enable more efficient ways of workingWhat the NHS and other health service providers require is access to the right information in the right format in the right place and at the right time more often than not in a defined clinical network or local geography This can be achieved by allowing information to move freely between applications from a pool of secure and protected data that resides in a vendor neutral archive Commercial cloud providers such as Amazon and Google provide web based solutions which raise questions around data visibility and preclude them from delivering confidential patient information at the low cost prices used for domestic services There are however secure solutions that are cyber-resilient and can be delivered through a private cloud that is paid for on a transaction basis Outside of NHS there are numerous examples of such services being deployedin finance manufacturing and other public sector environments that the NHS and the Information Commissioner might investigatePaul WoodingFBCS CITPHead of UK Public ServicesNetApp
  • Christian Toon I wholeheartedly agree with Information Commissioner Christopher Grahams sentiments about a disturbing culture in the health service when it comes to protecting patient records With millions of personal medical records being lost by NHS trusts and hospitals at present its important that the NHS implements robust policies to ensure that patient information is managed responsibilityThe NHS needs to integrate corporate self regulation into their organisation and build a genuine culture of doing the right thing Sound records management data entry cataloguing tracking retrieval and indexing systems should be of high importance as the NHS brings itself into the digital age After all the public have a right to expect that information about them is handled with careChristian Toon head of information risk at Iron Mountain
Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *