The Weightmans website would like to use cookies to store information on your computer to improve our website. To find out more about the cookies we use and how to delete them, see our privacy policy.

You are here: Weightmans LLP | Library | Newsletters | Healthcare - July 2010 | Further concern about NHS Data Protection
Newsletters
Library

Healthcare - July 2010

Further concern about NHS Data Protection

The Information Commissioner’s Office (ICO) has warned that access to sensitive medical records is not being strictly controlled, and hence many NHS Trusts are breaching the law. 

In 2008, the European Court of Human Rights ruled in I v Finland, that Governments have a legal duty to restrict access to medical records to those who are directly involved in the personal care of the patient.  The UK Campaign Group, Big Brother Watch, surveyed 151 NHS Trusts.  They found that large numbers of non-medical staff can access confidential patient records.  On average 723 staff in an NHS Trust can have access to such records, without any need to do so.

The concern about the failure of NHS Trusts to take data security seriously, ties in with the report from the ICO that between 1988 and 2010 (so far), there have been 1007 security breaches reported to the ICO.  Of that, 305 involved the NHS.  Upon analysis of these figures, it is apparent that the major areas of concern are lost and stolen data and hardware.  This reflects a rather lax attitude towards protecting IT hardware that may well have vast amounts of personal data stored upon it.

The ICO has shown a growing impatience with the NHS, due to its perceived continuing failure to take data protection security seriously.  For a recent example, please see the link below to a ICO Press Release dated 15 June 2010, detailing data security lapses by NHS Stoke-on-Trent and Basingstoke and North Hampshire NHS FT. Note the undertakings given by the CEOs.

In addition to obtaining undertakings, the ICO has powers to impose fines of up to £500,000 for the most serious breaches. This would have to be a very serious contravention causing substantial damage and/or distress. It would be either caused deliberately, or the data controller knew or ought to have known there was a risk of contravention, and failed to take reasonable steps to prevent this occurring. 

http://www.ico.gov.uk/upload/documents/pressreleases/2010/nhs_stoke_on_trent_and_basingstoke_north_hampshire_150610.pdf

Simon Charlton, Associate
Weightmans LLP

This month's issue
Download
Level Double-A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0   Valid CSS   Valid XHTML 1.0 Strict
Terms of use | Privacy policy | Sitemap
© 2012 Weightmans LLP. Weightmans is a limited liability partnership.
Developed by Connect Internet Solutions Ltd.