Time for the NHS to treat its own illness: incompetence with our privacy
Criticism of the Information Commissioners Office, and not just from me, is clearly beginning to hurt. In its latest announcement of what are really quite serious privacy breeches, it delivers the same stinging retribution that seems to be a template (‘Naughty, naughty, don’t do it again’); but this time it tells us that it has been as severe as it can:
Monetary penalties are reserved for the most serious cases and this power can only be exercised in limited circumstances. The ICO has made full use of the most appropriate regulatory powers in the two cases highlighted here.
But this begs the question. What were these breeches – and do they deserve more than a slap on the wrist?
2,000 paper physiotherapy records were not filed within NHS Stoke-on-Trent’s archive system and may have accidentally been destroyed or misfiled. At Basingstoke and North Hampshire NHS Trust an excel spreadsheet, containing 917 patients’ pathology results, was emailed via an unsecure address to another department. The spreadsheet was not password protected and the receiving department had no business need to have access to the excessive amount of clinical records.
Yes, well we’ve all known worse breeches. But the severity is not the only issue: that they happened at all means that next time we may not be so lucky. And when you couple that with the ICO’s introductory comment:
A quarter (250) of all data breaches reported to the ICO are from the NHS
then we clearly have a very worrying situation. Do we need any further proof that the NHS is no fit organization to have access to centralised, aggregated personal information in the form of the Summary Clinical Record (SCR – what used to be called the NHS Spine)? SCR needs to be categorically, irrevocably and immediately cancelled.