Patient Tsar backs tougher data theft laws
- 2 April 2008
The chair of the Department of Health’s National Information Governance Board, and influential patient representative, Harry Cayton, has joined the Information Commissioner in calling on ministers not to water down legislation that would increase penalties for data theft.
Cayton said that public confidence in data protection was essential to ensure the benefits of the NHS Care Records Service (CRS) system of electronic patient records.
He said: “I strongly support the information commissioner’s proposals for stronger legal penalties for data theft. Public confidence in data protection is essential if the benefits of electronic patient records are to be realised.”
A bill providing for increased penalties for people such as private investigators and journalists who raid data banks in search of confidential information is nearing completion. It is reported to have been subject to some high-powered lobbying by national media organisations.
Reports in the Guardian newspaper this week suggest the government intends to drop or dilute plans to increase penalties for data theft, including health records. A decision is expected in the next few days whether to remove the clause providing for prison sentences for data theft from the bill.
According to the Guardian the apparent u-turn has proved highly divisive within Whitehall with some departments, including the department of health, said to be concerned due to its desire to reassure the public about the safety of its planned national electronic patient record database.
A Connecting for Health spokesperson acknowledged Cayton’s remarks and added: “There are several layers of protection built into ensuring that clinical records are safe from inappropriate access.
- HealthCare staff can only access clinical care records if they are delivering care to the patient – this is known as a legitimate relationship.
- They must have an NHS smartcard, with a chip and a unique passcode
- They will only see information appropriate to the job they are doing known as role based access.
- They will automatically have their details recorded on audit trails and inappropriate accesses will be alerted to privacy officers.
“NHS organisations are responsible for information governance just as they are for financial and clinical governance. The audit trails and alerts enable them to deliver those responsibilities much more effectively than in the paper record world, where there are no electronic finger prints.”
Clause 76 of the Criminal Justice and Immigration Bill, which is currently going through Parliament, will enable courts to impose a custodial sentence on those convicted of existing offences of buying or selling personal data.
In a statement, the Information Commissioner, Richard Thomas, acknowledged the lobbying campaign against the bill and urged politicians to pass the bill as soon as possible.
“There have been powerful last-ditch efforts to get clause 76 removed from the Criminal Justice and Immigration Bill. There has been widespread support for the government’s decision to strengthen the law and – if data protection is to be taken seriously – it is vital that the government and other parties should stand firm against any possible amendments. I am determined to stop the pernicious illegal market in personal information which our reports exposed,” he said.
Changing the legislation to show punishment for data breaches was essential for earning public confidence, he added.
“If there is a change of heart on legislation aimed at deliberate security breaches, the government will find it hard to convince people that measures aimed at preventing data loss need to be taken seriously. I know there are concerns in some quarters of the media, but – with a powerful public interest defence – responsible journalists have nothing to fear.”
Links
Criminal Justice and Immigration Bill