ICO finds public sector bodies are still failing to protect sensitive data

In the past two days the ICO has reported DPA breaches at several public bodies, including two NHS trusts, despite recent CfH claims that it would improve

In the past two days the Information Commissioner's Office (ICO) has reported serious data breaches involving three public bodies, two of which are NHS Trusts.

Yesterday the ICO said that confidential patient records were found to have been dumped in public bins by staff at University Hospitals Coventry & Warwickshire NHS Trust on separate occasions this year.

Sally Anne Poole, acting head of enforcement, explained that the sensitivity of the data held by the NHS imposes a duty to protect it.

"Organisations across the health service must recognise that they hold some of the most sensitive personal data available and that it must never be disposed of in the same way as routine household waste," she said.

Following the breach the ICO ordered the trust to review its policies to ensure that personal information is adequately protected and disposed of. Staff will also be trained to follow new procedures governing the handling of clinical data.

The NHS is a repeat offender, having been forced by the ICO to sign 29 undertakings (committing an organisation to a particular course of action in order to improve its compliance) since 2010.

The ICO was so concerned with the regularity of data breaches across the NHS that in July this year Information Commissioner Christopher Graham announced that he was working with Connecting for Health to help health organisations comply with the Data Protection Act (DPA).

Recognising the problem, a spokesperson for the NHS recently told Computing that it understands the ICO's concern and will make efforts to comply.

"We fully support the Information Commissioner's call for improvements in local NHS practice in relation to preserving patient confidentiality. There is absolutely no excuse for breaches leading to the loss of sensitive and personal data."

The spokesperson added that further guidance will be provided to NHS bodies.

"We will shortly be providing NHS organisations with further guidance around their responsibilities in looking after and protecting information."

But including yesterday's announcement NHS bodies have breached the DPA a further seven times since making this commitment, suggesting this guidance has not worked.

On this issue, Health Minister Simon Burns explained that guidance was issued, and it is up to individual NHS bodies to roll the advice out to their staff.

"We have issued clear standards and guidance to the NHS about what needs to be done to keep patient records secure and confidential. Individual NHS organisations are responsible for ensuring their staff understand and follow that guidance.

He added that access to records could be tracked, and this can be used to discipline staff responsible for breaches.

"Any member of staff discovered intentionally breaching this should be subject to appropriate disciplinary action.

"Access to electronic records can be tracked and audited, so that any abuse can be traced and dealt with."

Although the NHS is the largest offender by volume, local councils and other public sector organisations also often fall foul of the ICO.

Today the ICO released details that the Newcastle Youth Offending Team breached the DPA by failing to encrypt a laptop containing personal data which was subsequently stolen.

Poole said that encryption should be used to protect personal data.

"Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure. But, to their detriment, not enough data handlers are making use of it."

In this case the laptop was lost by a third-party contractor. Poole explained that organisations should monitor third parties where they pass sensitive data onto them.

"Organisations shouldn't simply assume that third parties will handle personal data in line with their usual standards," she said.

Newcastle Youth Offending Team has now stated that it will take steps to ensure all data processors contracted to act on its behalf comply with the DPA, and that all portable and mobile devices will be encrypted.