Information commissioner warns NHS over data losses

The health service needs to do more to keep patient's personal data more secure, the information commissioner has warned. Christopher Graham said procedures to protect patients' personal information are "not being followed on the ground" and that effective measures are needed to ensure data laws do not become a "day-to-day burden". "The health service holds some of the most sensitive personal information of any sector in the UK," he said. "Millions of records are constantly being accessed and we appreciate that there will be occasions where human error occurs. "But recent incidents such as the loss of laptops at NHS North Central London (containing the medical records of over 8 million people) - which we are currently investigating - suggest that the security of data remains a systemic problem." The warning comes after the Information Commissioner's Office revealed that five further health organisations had breached the Data Protection Act in recent months. In February, Ipswich Hospital NHS Trust misplaced 29 patient records, before eventually recovering the files, and East Midlands Ambulance Service NHS Trust sent a fax containing sensitive personal data to an incorrect number.* Basildon and Thurrock University Hospitals NHS Foundation Trust, Dunelm Medical Practice and Lancashire Teaching Hospitals NHS Foundation Trust were also found to have breached the Data Protection Act after faxing out sensitive personal information to the wrong recipients. In each case, the health bodies have been issued with undertakings to improve the standard of their data protection procedures. Graham added: "Health workers wouldn't dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number. "The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. My office is working with Connecting for Health to identify how we can support the health service to tackle these issues." A spokesperson for Dunelm Medical Practice said: 'There was a mistake made as a result of a problem with the programming on the fax machine back in February. "We took the incident very seriously and spoke to the patients straight away and they were happy with our apology. We've put new measures in place, which we have had no problems with, and they will be reviewed on a monthly basis." In an interview with the Independent today, Graham also called for stiffer penalties for cases brought under section 55 of the Data Protection Act. "It's a much wider problem and we do need some tougher penalties because the courts don't seem to regard it as a terribly serious offence," he said. * Correction: this article was changed on 13 July. We originally stated that EMAS had lost a memory stick, which was not the case. We are happy to correct this. This article is published by Guardian Professional. For weekly updates of news, debate and best practice on public sector IT, join the Government Computing Network here.