Information Commissioner’s Office takes action against an NHS Trust in Hartpool over poor data practices
March 15, 2015 |
The UK Information Commissioner’s Office (“ICO”), like the US Federal Trade Commission, have been quite active in taking action against those who breach privacy related laws for which each office is responsible. This has led to a good body of precedent, to use the word loosely, as to the practical operation of the legislation. That is particularly useful given the courts have had limited involvement in enforcement of privacy related laws in either jurisdiction.
Last week the ICO announced the enforcement action it has taken against the North Tees and Hartlepool NHS Foundation Trust. The media release, Hartlepool based NHS Trust ordered to review data protection by the ICO, which provides:
North Tees and Hartlepool NHS Foundation Trust has been ordered by the ICO to review its data protection policy after a file containing sensitive patient information was found at a bus stop.
It was one of a number of incidents over the last year which resulted in data being lost or disclosed without authorisation leading to an enforcement notice being issued to the Trust. Other incidents included letters, notes and reports containing patient data being sent to the wrong people.
Investigations carried out by the ICO revealed that at least one department had been knowingly breaching the organisation’s data protection policy on a regular basis, saying they found the rules around secure transportation of documents impractical.
Steve Eckersley, Head of Enforcement at the ICO said:
“The careless way this highly sensitive personal information has been handled is embarrassing for the Trust involved. Even though the organisation had over-arching policies in place, they obviously weren’t being followed and didn’t seem to be suitable for every department. It’s important that every organisation not only has the correct policies and procedures in place but also that those policies are followed. That includes providing the right training for staff so everyone can take their data protection responsibilities seriously.
“An action plan was put in place after earlier breaches but clearly parts of the plan have been ineffective and after consideration we decided to issue an enforcement notice to improve compliance and to protect individuals.”
The enforcement notice, made under the ICO’s supervisory powers, provides (absence numbering):
In the course of 2014 and early 2015, the Commissioner was informed of a number of separate incidents involving the loss or unauthorised disclosure of personal data, mainly contained in paper documents.One incident involved the discovery of a folder containing highly sensitive personal data at a bus stop by a member of the public, while most of the other cases related to letters, notes and reports containing patient data being sent to the wrong recipients.
Investigations carried out by the Commissioner revealed that at least one internal department had been knowingly breaching the data controller’s ‘Data Protection and Caldicott Policy’ on an ongoing basis as they found the rules around secure transportation of documents impractical for the daily tasks they were required to carry out.This indicates that the data controller’s policy may not have been fit for purpose for all Trust departments. In addition, the transportation solutions required by the policy may not have been sufficient to prevent the loss or unauthorised disclosure of personal data, even if followed. The Commissioner’s enquiries also highlighted the fact that several of the document addressing errors occurred due to the overtyping of previous patient letters.
……
In view of the matters referred to above the Commissioner hereby gives notice that, in exercise of his powers under section 40 of the Act, he requires that North Teesand Hartlepool NHS Foundation Trust shall within 3 months of the date of this Notice:
Review its ‘Data Protection and Caldicott Policy’ to reflect the specific needs and practicalities associated with each internal department. The review should involve a requirement to redact or minimise the personal data contained in correspondence removed from the office wherever possible, and to use secure electronic solutions for document storage and transmission when available;
Put an action plan in place and carry out comprehensive quality assurance and spot checks to ensure all departments are complying with policies relating to the protection of personal data on an ongoing basis including the ‘Data Protection and CaldicottPolicy’, the ‘Clinical Administration Standard Operating Procedure’,the Information Security Policy’ and the ‘Information Governance and CaldicottPolicy’.
As part of this action plan, implement additional technical or organisational measures to ensure that the ‘Clinical Administration Standard Operating Procedure’ is being strictly adhered to by all staff dealing with patient correspondence, particularly with regard to the checking of addresses and non-overtyping of letters;and
Establish a data breach management policy to deal specifically with containment and recovery solutions, including requirements around the secure retrieval of recovered information.
Just to highlight how much of a problem data security is in the health sector recent incidents elsewhere which have been reported include a press release from health provider Aedisys regarding a potential data breach, 20 year old medical records found in an unused house in New Zealand and medical notes on display from a car a week in the UK. It is a chronic problem worldwide.
Until March last year, when real and effective enforcement powers came into the hands of the Privacy Commissioner, it was unfair to make comparisons between the UK and US regulators and the Australian Privacy Commissioner’s efforts. The quietude in enforcement in regulation in Australia is surprising. Australia has no reason to assume its data handling practices and security arrangements are any better implemented and maintained than overseas. The Commissioner’s statement as what the next year will produce (see here) can best be described as enigmatic. How else can you describe this quote:
‘For the next twelve months our focus will be on governance, assisting organisations and agencies to build a culture of privacy, and ensuring that organisations and agencies are proactive in meeting their compliance requirements. My message for all organisations and agencies is: it is more effective, and ultimately cheaper, to embed privacy in day-to-day processes than it is to respond to issues such as data breaches as they arise’, said Mr Pilgrim.
It could be significant enforcement action or significant discussions or not much of anything. Time will reveal all.
[…] Information Commissioner’s Office takes action against an NHS Trust in Hartpool over poor data pra… […]