ICO slams NHS for repeated data handling failures

The Information Commissioner's Office (ICO) has issued the NHS with a stern warning that it must improve its data handling efforts, as the organisation continues to lose huge amounts of sensitive information.

NHS North Central London admitted in May that it had lost a laptop containing the details of eight million patients, prompting an ICO investigation.

Information commissioner Christopher Graham highlighted the case as just one in a long line of failures.

"The policies and procedures may already be in place, but the fact is that they are not being followed on the ground," he said.

"Health workers wouldn't dream of discussing patient information openly with friends, and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number."

Graham warned that further education on the importance of data protection is required, and revealed that the ICO is working with the NHS division responsible for IT infrastructures.

"The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. Complying with the law needn't be a day-to-day burden if effective measures are built in and become second nature," he said.

"My office is working with Connecting for Health to identify how we can support the health service to tackle these issues."

The NHS has repeatedly been at the centre of notable data breach incidents, and was exposed in 2010 as the organisation responsible for most breaches reported to the ICO.

Former head of enforcement at the ICO, Mick Gorrill, said at a recent event that he "would have put money" on the watchdog's first fine being levied against an NHS body, but it has so far escaped punishment.

However, Stewart Room, a data protection lawyer and partner at Field Fisher Waterhouse, said in a blog post that the information commissioner's latest attack could suggest a change in approach.

"If the ICO does fine the NHS there's bound to be criticism from some quarters, as in this age of austerity the NHS needs every penny it can get," he said.

"On the other hand, the ICO has been banging on about data security non-stop since 2006 and in that time the NHS has been a repeat offender. Just take a look at the ICO enforcement pages on its web site to see the proof."