Immediate NHS data security review ordered

Tags: Nicholson Security

14 Dec 2007

NHS chief executive David Nicholson has written to all NHS trust chief executives instructing them to immediately review and tighten their information governance and data transfer arrangements.

The 4 December letter requires trusts to urgently re-examine the arrangements and policies local trusts have for securing data in transit. Trusts are told to urgently buy-in additional security expertise if they do not have it in-house already, and to check security arrangements for laptops, CDs and pen drives.

In his letter, Nicholson refers to “recent concerns about public sector”, though the NHS boss doesn’t mention last month’s loss of confidential data on all recipients of Child Benefit by HM Revenue and Customs by name. Instead it speaks of the need to focus on “the security of information between locations and organisations”.

Two recent reports by E-Health Insider and sister title EHI Primary Care have highlighted that some NHS organisations have a lot of work to do to improve information governnance. Sefton PCT this week confirmed it had sent details on 1,800 staff to organisations it declined to name. Last week EHI Primary Care report that Hastings and Rother PCT was sending patient records out using standard Royal Mail post.

The letter says: “No element of information governance, as provided in the information governance toolkit, should be neglected, but priority must be given to securing improvements in the in the security of data in transit.

In an checklist of immediate steps all NHS trust CEOs are instructed to “Check your systems and procedures, and deal with any shortfalls immediately”; “Check that your control on the movement of person identifiable data is good enough”; and to “not hold identifiable data on portable media unless it is encrypted”.

In addition, the letter tells trust chief executives: “Do not bulk transfer person identifiable data, unless it is absolutely needed for direct patient care, before you have sorted out your secure processes, and do this quickly.

As well as addressing the imemdiate priorities on data transfer and security trusts are directed to undertake a more detaield programme of work.

It states: “I am looking to each of you to assure yourselves and your Boards that the arrangements that apply in your organisations meet the policies and guidelines that have been provided in the past by the Department, and that there are robust procedures to ensure they are followed.

Nicholson’s letter concludes: “I would be grateful if you would give close attention to these issues to ensure that public confidence in the NHS’s protection of patient information is maintained.”

Readers Comments

Security in the NHS

16 Dec 07 14:13

It was only yesterday that someone (in a clinical area) was going to give me their login and password (to a clinical system) in order to look at an issue for them - when will these people learn that they have their own personal login and password FOR A REASON?

I honestly really don't think that the public sector will take start to take data protection seriously until some sort of legal action and claim for damages has actully been brought against an INDIVIDUAL.

disciplinary offence

17 Dec 07 14:07

I hope you raised that officially to the person's line manager - it's about time people realised just how inappropriate this behaviour is, and faced the £2,000+ fine and future employment problems after being prosecuted. I'm fed up with people whinging about the security issues inherent in the spine when they lose files, CDs and give out system access details without care for the consequences.

When are the local organisations going to take responsibility and properly educate and discipline their staff in this area? If bank staff acted with this kind of disregard for privacy, they'd be in serious trouble and people would be raising all kinds of hell.

Taking Responsibility of Data

21 Dec 07 00:20

Until very recently as being someone working in a PCT I asked a director who was leading a project with a drug company that was extrating data from GP systems, the question if he believed that there was appropriate information governance in place to ensure patient confidentiality. On being summonsed to his office to be told in a very forthright manner that he had a commercial contract in place and that was sufficient governance and not to question his judgement.

When the Inland Revenue data loss issue came to light the same Director was now becoming nervous of what he had in place and sort guidance from the Director of IM&T, something he should have listened to earlier.

What Directors in particular have to understand is that Information Goverance is probably the single most important thing that they are responsible for. And quite rightly measures are going to be put in place by central government to make senior managers accountable and if appropriate a jail sentance for lapses in governance.

Every Director who has a responsibility for data should take note and recognise their responsibilities in this important area.

disciplinary offence

nhstechie@btinternet.com

22 Dec 07 00:04

In addition to the £2k maximum fine, breach of the Computer Misuse Act may also carry a sentence of up to 2 years imprisonment and under most Trust's disciplinary policies constitutes gross misconduct which may lead to summary dismissal on first offence. So hacking or giving away usernames and passwords is seen in law as more serious than the resulting loss of person-identifiable data.

Sadly, the current DPA doesn't include imprisonment in its list of permissible penalties - perhaps it should?

Slam! ....... goes the stable door .......

23 Dec 07 12:21

........... now which way did that horse go?