The NHS has reported the highest number of serious data breaches of any organistion since November 2007, according to disclosures revealed by the Information Commissioner's Office.
David Smith, deputy commissioner at the ICO, today told the Infosecurity Europe conference in London that the NHS - which is in the midst of rolling out digital patient records across the country - voluntarily reported 287 data breaches over the past few years. This constituted just over 30 percent of the total number of breaches, 962, reported in the period.
The majority of NHS data breaches were a result of stolen data or hardware (113), followed by lost data or hardware (82).
The private sector was second behind the NHS, with 271 reported breaches, followed by local government. However, Smith said: “In the NHS there is a management structure to report this [data breaches], and we’re aware not all private sector organisations report.”
Organisations can currently report serious breaches to the ICO via its voluntary data breach notification scheme, which Smith said is “moving towards” a compulsory scheme for all organisations.
“It [the voluntary data breach reporting scheme] is working, but it’s clear we’re not getting everything as we would under a mandatory scheme,” said Smith.
To highlight the seriousness of data breaches, Smith outlined cases such as HMRC’s loss of 7.5 million child benefit records, the Ministry of Defence’s loss of an unencrypted laptop with recruitment data, and PA Consulting, an outsourcer for the Home Office, which lost sensitive prisoner data. However, he emphasised that the problems were by no means confined to the public sector.