Home > All, Security Issues, Security News > The ICO: a guard dog that won’t bite and hardly barks

The ICO: a guard dog that won’t bite and hardly barks

October 20, 2010 Leave a comment Go to comments

Readers of this blog will know that I am not the greatest fan of the Information Commissioner’s Office. It’s not entirely the staffers’ fault – if you create a guard dog without teeth it cannot bite; and what use is a guard dog that cannot or will not bite?

Here’s yet another point in question:

A doctor at North West London Hospitals NHS Trust breached the Data Protection Act by leaving medical information about 56 patients on the tube, the Information Commissioner’s Office (ICO) said today.

Is there much that is more personal, more sensitive and more private than your medical information? I think not. So the ICO has come down hard on the culprit:

Fiona Wise, Chief Executive of The North West London Hospitals NHS Trust, has signal [sic – signed?] a formal undertaking outlining that the organisation will ensure that personal data is processed in accordance with the Data Protection Act.

Ollie Hart

Ollie Hart, head of public sector, Sophos

Now that’s gonna hurt. But what else can the ICO do? If it fines the NHS, we pay. If it sacks the doctor, we pay for a new one. But nothing the ICO has done to other data protection cowboys has had much effect – it certainly didn’t protect these 56 patients. Ollie Hart, head of public sector, Sophos, thinks the solution is at least partly in user education:

It is of paramount importance to educate users within the NHS of the risks of moving around patient and organisational information and how to protect such data. Having the right data protection software is vital but it also requires much more than just putting software in place. Alongside this, it is key to establish the right procedures and processes to protect the data, as well as educating users, across the organisation.

Well, Hart is of course absolutely right that this should be done; and if it were done… ’twere well it were done quickly. But why wasn’t it already being done? And will being told to do it now (when, potentially, the horse has already bolted) protect the personal data of those 56 patients? It will not. My opinion, then, mirrors that of Hugo Harber, Star’s Director of Convergence and Network Strategy: “If you don’t fine these companies that lose sensitive data, if you don’t make it very painful, then the IT director will not get budget next year to put in DLP or encryption or some similar system to fulfill the company’s duty of care.” (See here)

Obviously there’s no point in fining the NHS; so, hard as it may seem, doctors who lose their patients’ medical records need to be sacked. And that applies to anybody who loses the personal data of others. It’s the only way.


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s