NHS has worst data security1st August 2011
Data security is highly important in any company or business. Personal information of employees, clients or patients can be at risk of being lost or stolen. Whether it is intentional or not, security breaches take place across all industries and can lead to fraud, damage to individuals, and financial implications for the responsible business or organisation.
Most companies will have clearly outlined procedures for training staff in the importance of data handling, fearing the potential damage to their reputation if a security breach occurs. The reputation of the NHS for example, in its handling of personal data, is coming under increased scrutiny. It was reported to the Information Commissioner’s Office in 2010 that 1,000 data breaches had taken place involving confidential information. The NHS was named and shamed as the worst offender with 307 out of the 1,007 cases – nearly a third of all reported UK data breaches.
Information Commissioner, Christopher Graham, said: “Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number.”
Mr Graham wants to see harsher punishments practised in hospitals and health trusts as there are increasing concerns after various incidents which have breached the Data Protection Act. A recent incident in June this year saw a laptop with 8.6 million medical records go missing from an NHS building in London. Last year a data CD from New Cross Hospital was found at a bus stop in Wolverhampton. The unencrypted CD contained the heart and lung scans of over one hundred patients.
The seriousness of mishandling sensitive data was highlighted in April 2010 when the Information Commissioner’s Office (ICO) was granted power to fine organisations up to £500,000 for significant breaches of the Data Protection Act. The revised data protection guidelines stated that fines would be applicable for security breaches that are “likely to cause substantial damage or substantial distress”. It was hoped that this would encourage organisations to step up their data security measures and invest in effective encryption software. The first Data Protection Act fines took place in November 2010.
One of the first bodies to be fined was Herefordshire County Council, who were responsible for faxing the details of a child sex abuse case to a member of the public. The council was fined £100,000. A recent survey carried out by Cyber-Ark Software, however, found that 65% of a sample of 500 London city workers were unaware of the costs their organisation could incur as a result of their actions. Many confessed to carrying their clients’ data on portable devices, including mobile phones without password protection. The study found that generally employers are doing little to update their staff with the latest data privacy legislation. This is quite telling, seeing as many security breaches in the UK are in the form of misplaced documents, laptops and memory sticks.
Cloud computing is one of the most recent solutions to end the UK’s big problem of data security. The idea of a company’s data being stored online, which can be accessed at point of need by staff, would eradicate the need for portable devices. Many organisations, however, are hesitant to make the upgrade. There are still fears that cloud computing is not secure; concerns about not knowing where your data is held or who else is hosting applications on the same hardware.
In the meantime it is apparent that more needs to be done by organisations, not only to inform their employees about data security, but also to ensure that their staff receive practical training on handling data sensitively eg, training on how to encrypt portable devices. If employees are simply ignoring the outlined procedures it is apparent that more effective training is needed and possibly the use of sanctions.
The prospect of a £500,000 fine for many businesses is a daunting one. The fines should drive home a strong message that the ICO will take any significant breach of the Data Protection Act very seriously.
Share this page
There are no comments for this article, be the first to comment!
Post your comment
Only registered users can comment. Fill in your e-mail address for quick registration.