Information Commissioner to investigate MTAS leak

Tags: A Confidentiality Government Information Information Commissioner iS Norman Lamb Security

10 May 2007

The Information Commissioner has told the Liberal Democrat’s health spokesperson, Norman Lamb that he will be launching an immediate investigation into the leak of applicant’s details on the Medical Training and Application Service website, E-Health Insider has learned.

Two weeks ago, Channel 4 News reported that they were able to log onto the MTAS website and have access to confidential information including doctors' addresses and telephone numbers, previous convictions, sexual orientation and religion.

At the time, Lamb announced he had written to the Information Commissioner asking him to investigate urgently the release of sensitive personal data of junior doctors on a Government website.

In a reply to the MP dated 2 May and seen by EHI, Richard Thomas, the Information Commissioner wrote: “I share your concerns about the allegations about lack of security and access to sensitive personal data contained within the MTAS website. I consider that the alleged breaches in question may amount to an issue of general and serious public concern and importance in that the public rightly expect organisations both in the public and private sector to safeguard the security of their personal information.”

Thomas added: “In these circumstances there is a clear duty of confidentiality between the Department of Health and junior doctors. Following the reports in the media I decided to commence an investigation into the allegations made, I asked the head of the regulatory action division, Mick Gorrill, to take responsibility for the investigation.”

The MTAS website is also under a Department of Health investigation and has been suspended by the government.

Health secretary, Patricia Hewitt, apologised once more for the leak on the BBC’s Question Time show last Thursday, where heckling junior doctors called for her to resign.

Hewitt said she would not be resigning of her own accord, but invited the audience to submit questions to her on the show’s website. The BBC says it will publish a selection of questions and the answers given by Patricia Hewitt on the Question Time website in a few days' time.

The Information Commissioner said it was too soon to draw lessons that applied to the Connecting for Health programme, saying: “Although it is too soon to say whether any specific lessons I have no doubt that the experience serves as a stark illustration of the issues which arise where security of sensitive data is not treated with the utmost seriousness.”

The assistant information commissioner, Jonathan Bamford, is expected to give evidence on the electronic patient record to the Health Select Committee on Thursday.

Gorrill meanwhile has written to David Nicholson, chief executive of the NHS, asking him to provide an immediate explanation regarding the reported security breaches of the MTAS website and to provide the Information Commissioner's Office with details of the Department of Health's investigation into the breaches and the action being taken to prevent a further occurrence.

Links

Junior doctors' confidential details openly displayed

MTAS

ICO

BBC Question Time

Readers Comments

Good news - at last some action on this awful process

10 May 07 07:58

I cannot believe that this beast of a process has survived so many systematic process failures, rescue plans, and workarounds - maybe once the IC gets in there, he will find all the other faults that should have been fatal!

Whilst he is there ....?

10 May 07 08:50

The security leak was possibly one of the milder faults of this MTAS process. It is clear now that the GP selection results are coming out that a number of UK citizens, UK born, UK trained, working in the NHS, paying UK taxes, have been deemed "ineligible" because they do not have the correct immigration status, visa and work permit! To me this suggests that at some point the applicants' electronic or paper records became shuffled with other applicants electronic or paper records. This would be a serious operational flaw that could challenge the whole selection process, even the much vaunted "successful" GP selection process.

I also have a deep suspicion that other electronic or paper data were shuffled, so that in shortlisting Dr A, may have attracted the scores for Dr B's answers! In the middle of the application process at the end of January two Units of Application (London and KSS) were merged into one. This required a swift software rewrite, and also meant that scoring now had to be done on paper not on line. Queries had to be written to print out the application "reports" and the applicants' unique application ID codes could not be printed onto the reports, so had to be hand written onto every sheets (100,000s of sheets!) and then sorted to the right piles. In a complex multi-table database, with data in core fileds merged in a swift software rewrite and then paper reports wihout a printed unique ID and each scorer only seeing one sheet of the answers, not all the sheets from one candidate, Dr A's unique ID could easily end up on Dr Bs answers.

I asked the DoH to look into this on Friday March 2nd, and gave an example of a blatant "miscarriage" of justice to look into, to see if this could be an explanation. The DoH decided not to do this, and to defer investigation of this case, until the end of the MTAS process, ONCE the jobs had been allocated!

So maybe the IC could have a glance at these issues as well?

Wider concerns over data security

10 May 07 08:54

In light of the failure of the MTAS website to effectively protect the personnal and confidential information provided by junior doctors, I think it brings into question the wider picture of exactly how safe Patient information being carried by the Spine applications will be.