ICO launches new resources to help prevent data breaches
- 4 April 2017
The Information Commissioner’s Office (ICO) has responded to concerning health data audits with a new set of specific tools for staff in NHS and other health organisations.
Launched 29 March, the newly created resources include posters, tool-kits, training videos, infographics and a webinar.
The ICO found that there were more than 200 self-reported incidents of data being posted or faxed to the incorrect recipient in the last financial year in the health sector.
During the same time period, there were more than 200 self-reported breaches of paperwork lost or stolen.
ICO’s good practice group manager, Leanne Doherty, said in a statement that “unfortunately our audits showed a worrying trend of health organisations failing to properly manage the records they held”.
“The people we speak to want to get this right.”
The ICO’s audits also found that 33% of health organisations had no information asset register or nominated information asset owners, and 22% of health bodies had issues with logging, tracking, movement or security of paper records.
Doherty added the resources are meant to offer health professionals “practical support and give them the tools to improve people’s approach to records management in their organisations”.
A blog post by Doherty, published as part of the launch, outlines the issues of physically storing records which examples of leaving health data behind in garages, old offices or removal vans.
The non-arrival of medical correspondence hit the headlines in February.
The health secretary, Jeremy Hunt, had to face urgent questions in the House of Commons after The Guardian revealed that more than 500,000 pieces of NHS correspondence had never been delivered.
Digital Health News reported in February that Sheffield Teaching Hospitals NHS Foundation Trust left 10 patients in the lurch when its patient administration system failed to print out appointment letters.
8 Comments
What is the procedure for obtaining details of all occasions on which my records were accessed by an individual or organisation since 2013. I now understand, by following these posts, that this info can be obtained through an audit trail which would identify these parties. Urged by the NDG to make a complaint via Ombudsman/ICO, I only need clarification without obfuscation to explain events since that date. I believed my practice had an in house DG, later revealed to be admin staff only. Now in communication with an unidentified digital NHS staff member (I can only assume) silence is again deafening.
My experience is that many of those people overseeing processes don’t understand the very basics of the data protection act. “We can’t send an email for security reasons” being a fairly classic type of misunderstanding. When the new EU legislation comes in next year the NHS is going to be in real trouble. Many of the people I talk to in the NHS don’t even know this is coming nevermind the implications.
Organisations need to have professionally qualified health records managers in post – this will help with their complianice.
I would like to know three things:-
How many organisations were surveyed?
What remedial actions have been undertaken?
Was any patient harmed by the issue?
I wonder if junior doctors send their personal bank account details via Google docs or WhatsApp…?
no of course not that would be totally irresponsible, wouldn’t it?
not sure “assist their workflow” is the way to view this, i see it more as to be in breach of corporate policy and general lack of basic information security common sense.
The more worrying issue is how junior doctors are communicating non anonymised patient data via Google Docs, Skype and WhatsApp to assist their workflow. How will organisations account for those information assets which are actually in large volumes?
The ICO’s audits also found that 33% of health organisations had no information asset register or nominated information asset owners, and 22% of health bodies had issues with logging, tracking, movement or security of paper records.
– An audit of how many organisations?
Comments are closed.