When South London Healthcare NHS Trust admitted to losing two memory sticks containing sensitive patient data, it highlighted once again the trouble the health service, in particular, seems to have in securely managing the data it is supposed to look after. Furthermore, despite the seriousness of the incident, no fine was levied by the Information Commissioner's Office (ICO).
The data was lost in two incidents. The first, when a "data controller employee" downloaded information relating to about 600 maternity patients and saved it to a memory stick. The second occurred when a device containing the names and dates of birth of 30 children, including full audiology reports on a further three, was also lost. In neither case was the data encrypted.
Both devices were later found, but the cases came amid a string of similar incidents at the Trust, involving not just computerised data, but also sensitive paper-based records. The Trust declined to comment on any of the cases.
Given the seriousness of the losses, why wasn't the Trust heavily punished and why are there so many cases involving lackadaisical data management and data losses in the NHS?
According to deputy Information Commissioner David Smith, NHS organisations are often hit with big fines. The ICO levied a hefty £375,000 fine against Brighton and Sussex University Hospitals NHS Trust when hard disk drives containing data on tens of thousands of patients were stolen in September 2010.
"We are taking action against NHS organisations when cases come to our attention that meet the criteria for a monetary penalty, which are quite restrictive," said Smith. "It has to be a serious breach, and there has to be a risk of substantial damage or distress to individuals; the organisation either knew, or ought to have known, that there was a risk and failed to take reasonable steps to prevent it happening."