DH seeks tougher sanctions for security breaches

Tags: A Barts and the London Bradford Foundation Trust Government GP Information iS London Lorenzo Millennium Record keeping Safety sealed envelopes Security South Strategic Summary Care Record

29 Feb 2008

The government is seeking an increase in penalties for NHS staff that breach the Data Protection Act.

Health minister, Ben Bradshaw, made the pledge at a debate on the health select committee report on electronic patient records in Westminster last Thursday. This followed evidence read by chair of the committee, Kevin Barron, citing examples of NHS staff who had accessed records for no justifiable reason, and no action had been taken.

Bradshaw said that at present, keeping records of breaching data security was the responsibility of strategic health authorities, who were also responsible for taking action against those individuals.

He added: “The government strongly support the committee’s recommendations about having stiffer penalties for breaches of the Data Protection Act 1998. Access to patient records will be available only to authorised NHS health care professionals, who must be authenticated users and members of the health care teams directly involved in the relevant patient’s care.

“The department recently wrote to the head of the civil service, who is conducting a review of data processing and collection across government, repeating our support for an increase in penalties for breaching the act.”

He added that despite recent coverage of NHS data losses, the opt out rate in the Summary Care Record (SCR) early adopter sites was only 0.64%, as of 3 February. In total, across Bolton, Bury, Dorset, South Birmingham and Bradford and Airedale, 26 GP practices had gone live with the system and 153,000 patients’ clinical records had been created.

Plans to make the main SCR page more complicated have also been scrapped by the DH, he said: “We should keep the page simple and not make it more complicated – earlier, it was suggested that we would make it more complicated, but we will not do so.”

On the detailed care records for acute care, Bradshaw acknowledged delays and gave details of when new systems are now due to be rolled out.

“We accept that there have been delays, not only in the roll-out of summary care records, but in the whole NHS IT programme. It is important to put on record that those delays were not because of problems with supply, delivery of systems, but pretty much entirely because we took extra time to consult on and try to address record safety and patient confidentiality, and we were absolutely right to do so.”

Cerner Millennium will next be released in Barts and the London NHS Trust in a fortnight. The next Southern Programme of IT site to get the system will be Bath Royal United Hospital NHS Trust in May.

In the North, Midlands and East, Lorenzo release 1 is due to be released to its pilot sites – University Hospitals of Morecambe Bay NHS Trust, University Hospital Birmingham NHS Trust and Bradford Teaching Hospitals NHS Foundation Trust – in June.

Stressing the benefits of the national programme, he said: “The health service is moving from being an organisation with fragmented or incomplete information systems to a position where national systems are integrated, record keeping is digital, patients have unprecedented access to their personal health records and health professionals will have the right information at the right time about the right patient.”

However, he refused to back down on calls for sealed envelopes to be excluded from secondary user service data saying: “We have put in robust safeguards…consent is required, except for data that have been anonymised or data that are otherwise not identifiable as coming from any individual.”

He also insisted that central procurement should remain the way Connecting for Health works, and power should not be devolved: “Central procurement has enabled the needs of the NHS to be aggregated to get best value. Ovum, the IT industry analyst, carried out a detailed study in 2006, and it calculated that central procurement has saved £4.5 billion, compared with the cost if the same solutions had been procured locally.

“Local systems therefore need to be integrated if the aim of making patient information available at the point of need is to work. That is why we have to get the balance right between a national approach with a national architecture, and control at the local level.”

Dr John Pugh, Liberal Democrat MP for Southport, and a member of the Public Accounts Committee (PAC), said: “On the PAC’s three main criticisms – delays, cost benefit analysis, and the paucity of suppliers – the jury is still out, despite the excellent health committee report.”

Link

Hansard – Westminster Hall debate

Joe Fernandez

Readers Comments

Delays - what delays?

29 Feb 08 12:41

In the same debate the Minister said "It is important to put on record that those delays were not because of problems with supply, delivery or systems, but pretty much entirely because we took extra time to consult on and try to address record safety and patient confidentiality, and we were absolutely right to do so."

I obviously misunderstood the reasons for the delay in the roll-out of Cerner in the South and the Contract Reset because it looked pretty much like problems with the system and the delivery of it - as in it didn't really work!

However, if the Minister says that is not the case, he must be right as he is obviously much better informed than a humble IT person like me who has only spent the last three years trying to implement the thing!

Link to specific section of debate http://tinyurl.com/2bhy8w

Why bother changing the DPA?

nhstechie@btinternet.com

01 Mar 08 17:15

The Computer Misuse Act 1990 covers unauthorised access to any computer system and breaches of this Act are liable to a prison sentence. This Act is already in place so no new legislation is needed - judges just need to enforce the law we already have.

Who briefs these people?

Quote

Computer misuse offences 1 Unauthorised access to computer material (1) A person is guilty of an offence if— (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case. (2) The intent a person has to have to commit an offence under this section need not be directed at— (a) any particular program or data; (b) a program or data of any particular kind; or (c) a program or data held in any particular computer. (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

Unquote

Release One in June ...

01 Mar 08 17:37

... I wonder whether Ladbrokes will open a book on whether these go live in June across a significant number of clinical staff? Or perhaps we'll be given a "technical go-live" with a handful of staff and the pilot re-badged as a proof of concept trial?

by act or by omission of act

03 Mar 08 10:28

NHS techie - the Computer Misuse act applies to an individual who by conscious act attempts to make use of data for nefarious purposes. It doesnt apply to someone who (by intention or by omission) causes security to be breached such that a third party could gain access for such purposes.

So in the case of the notorious missing disks - a person who found them and tried to use the data to set up fraudulent accounts or access an account fraudulently would be guilty of a crime. However, the person who breached the code of conduct and sent them through the post currently isn't - so far as i am aware - because there was no intent

Sloppy

04 Mar 08 16:05

I have 20+ years of healthcare IT experience, and also have a clinical background in the NHS. In my experience the commercial sector treat confidential data with the most sensitivity - with the DPA foremost in their mind.

Next is the acute sector - on the whole sensitive data is respected. However some staff (who do have access to sensitive data) and have been with the NHS for many years are clearly not up to speed with regards to the concept of Data Protection. The whole thing needs to be clearly explained to staff (all of them – no matter how many years they have been in service).

Lastly there are the PCTs - these seem to have even less of an understanding of the concepts of confidentiality.

Patient data should not be stored, unencrypted (and p/w protected) on such things as PCs (desktops and laptops), USB devices, PDAs etc - all of these devices can be lost or stolen.

I expect that my comments my ruffle a few feathers and it is possible that I may just have experience of a few bad apples (I doubt it), but I really do think it's about time that the NHS grew up and started taking more care with data.

How would YOU feel if YOUR data/ records (medical or otherwise) fell into the public domain?