The ICO: a guard dog that won’t bite and hardly barks
Readers of this blog will know that I am not the greatest fan of the Information Commissioner’s Office. It’s not entirely the staffers’ fault – if you create a guard dog without teeth it cannot bite; and what use is a guard dog that cannot or will not bite?
Here’s yet another point in question:
A doctor at North West London Hospitals NHS Trust breached the Data Protection Act by leaving medical information about 56 patients on the tube, the Information Commissioner’s Office (ICO) said today.
Is there much that is more personal, more sensitive and more private than your medical information? I think not. So the ICO has come down hard on the culprit:
Fiona Wise, Chief Executive of The North West London Hospitals NHS Trust, has signal [sic – signed?] a formal undertaking outlining that the organisation will ensure that personal data is processed in accordance with the Data Protection Act.
Now that’s gonna hurt. But what else can the ICO do? If it fines the NHS, we pay. If it sacks the doctor, we pay for a new one. But nothing the ICO has done to other data protection cowboys has had much effect – it certainly didn’t protect these 56 patients. Ollie Hart, head of public sector, Sophos, thinks the solution is at least partly in user education:
It is of paramount importance to educate users within the NHS of the risks of moving around patient and organisational information and how to protect such data. Having the right data protection software is vital but it also requires much more than just putting software in place. Alongside this, it is key to establish the right procedures and processes to protect the data, as well as educating users, across the organisation.
Well, Hart is of course absolutely right that this should be done; and if it were done… ’twere well it were done quickly. But why wasn’t it already being done? And will being told to do it now (when, potentially, the horse has already bolted) protect the personal data of those 56 patients? It will not. My opinion, then, mirrors that of Hugo Harber, Star’s Director of Convergence and Network Strategy: “If you don’t fine these companies that lose sensitive data, if you don’t make it very painful, then the IT director will not get budget next year to put in DLP or encryption or some similar system to fulfill the company’s duty of care.” (See here)
Obviously there’s no point in fining the NHS; so, hard as it may seem, doctors who lose their patients’ medical records need to be sacked. And that applies to anybody who loses the personal data of others. It’s the only way.