ICO launches new resources to help prevent data breaches

  • 4 April 2017
ICO launches new resources to help prevent data breaches

The Information Commissioner’s Office (ICO) has responded to concerning health data audits with a new set of specific tools for staff in NHS and other health organisations.

Launched 29 March, the newly created resources include posters, tool-kits, training videos, infographics and a webinar.

The ICO found that there were more than 200 self-reported incidents of data being posted or faxed to the incorrect recipient in the last financial year in the health sector.

During the same time period, there were more than 200 self-reported breaches of paperwork lost or stolen.

ICO check
One of the ICO’s posters to try and prevent data breaches

ICO’s good practice group manager, Leanne Doherty, said in a statement that “unfortunately our audits showed a worrying trend of health organisations failing to properly manage the records they held”.

“The people we speak to want to get this right.”

The ICO’s audits also found that 33% of health organisations had no information asset register or nominated information asset owners, and 22% of health bodies had issues with logging, tracking, movement or security of paper records.

Doherty added the resources are meant to offer health professionals “practical support and give them the tools to improve people’s approach to records management in their organisations”.

A blog post by Doherty, published as part of the launch, outlines the issues of physically storing records which examples of leaving health data behind in garages, old offices or removal vans.

The non-arrival of medical correspondence hit the headlines in February.

The health secretary, Jeremy Hunt, had to face urgent questions in the House of Commons after The Guardian revealed that more than 500,000 pieces of NHS correspondence had never been delivered.

Digital Health News reported in February that Sheffield Teaching Hospitals NHS Foundation Trust  left 10 patients in the lurch when its patient administration system failed to print out appointment letters.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Data published online following data breach at Alder Hey

Data published online following data breach at Alder Hey

A major data breach of Alder Hey Children’s NHS FT's online systems has seen private information published online and shared via social media.
Kootenai Health cyber attack impacts 464,000 patients

Kootenai Health cyber attack impacts 464,000 patients

US healthcare provider Kootenai Health has revealed that data belonging to 464,000 patients has been compromised following a cyber attack.
Advanced fined £6m over stolen patient data in 2022 cyber attack

Advanced fined £6m over stolen patient data in 2022 cyber attack

The Information Commissioner’s Office has imposed a £6.09m fine on Advanced for failing to protect personal information during a cyber attack.

8 Comments

  • What is the procedure for obtaining details of all occasions on which my records were accessed by an individual or organisation since 2013. I now understand, by following these posts, that this info can be obtained through an audit trail which would identify these parties. Urged by the NDG to make a complaint via Ombudsman/ICO, I only need clarification without obfuscation to explain events since that date. I believed my practice had an in house DG, later revealed to be admin staff only. Now in communication with an unidentified digital NHS staff member (I can only assume) silence is again deafening.

  • My experience is that many of those people overseeing processes don’t understand the very basics of the data protection act. “We can’t send an email for security reasons” being a fairly classic type of misunderstanding. When the new EU legislation comes in next year the NHS is going to be in real trouble. Many of the people I talk to in the NHS don’t even know this is coming nevermind the implications.

  • Organisations need to have professionally qualified health records managers in post – this will help with their complianice.

  • I would like to know three things:-
    How many organisations were surveyed?
    What remedial actions have been undertaken?
    Was any patient harmed by the issue?

  • I wonder if junior doctors send their personal bank account details via Google docs or WhatsApp…?

    no of course not that would be totally irresponsible, wouldn’t it?

  • not sure “assist their workflow” is the way to view this, i see it more as to be in breach of corporate policy and general lack of basic information security common sense.

  • The more worrying issue is how junior doctors are communicating non anonymised patient data via Google Docs, Skype and WhatsApp to assist their workflow. How will organisations account for those information assets which are actually in large volumes?

  • The ICO’s audits also found that 33% of health organisations had no information asset register or nominated information asset owners, and 22% of health bodies had issues with logging, tracking, movement or security of paper records.

    – An audit of how many organisations?

Comments are closed.