Do the results of an anonymous survey into data protection practices and attitudes of junior doctors provide justification for compulsory audits?
In March of this year the Ministry of Justice announced a consultation to consider whether the Information Commissioner’s Office (ICO) should be given powers to require NHS bodies to submit to compulsory audits by the ICO of their data protection practices. The required statutory designation, under section 41(2)(b) of the Data Protection Act 1998 (DPA) would mean that “public authority data controllers within National Health Service Bodies (NHS) in England, Wales, Scotland and Northern Ireland” would be added to central government departments in the group of data controllers subject to these compulsory audits.
Given the nature of the personal data it deals with the NHS is clearly a high risk area, and has been subject, particularly over the last two years, to significant enforcement action by the ICO. The Information Commissioner himself, Christopher Graham, said in 2011
There’s just too much of this stuff going on. The senior management is aware of the challenge but the breaches continue. Whether it’s a systemic problem in the NHS or an epidemic we have got to do something about it. Health service workers look after their patients very carefully but don’t always look after their data very carefully
In some ways these compliance problems might be seen as surprising: all NHS bodies are required to comply with the comprehensive and demanding IG Toolkit and in my experience there are some extremely skilled and dedicated people working in the field of NHS information governance.
This makes the findings of a small, but significant, study at two hospitals of the attitudes and practices of junior medical staff towards security of patient identifiable information particularly concerning. And, perhaps, the justification for compulsory ICO audits is made out.
the physicians’ current practice as well as their awareness of the Data Protection Act and Caldicott principles with respect to storage and disposal of patient identifiable information.
The results are dismaying: they include
Sixty-two percent of physicians surveyed held patient identifiable information electronically, outside of normal NHS use. Thirty percent of physicians used portable memory sticks, of which, 68% were not password protected. Ninety percent of physicians used patient ward lists in paper format with 18% frequently using a domestic waste bin for disposal
and in a small number of cases data was said to have been stored on personal computers.
All of these practices in themselves constitute serious contraventions of the DPA. In the event that they might give rise to loss or theft of data they would undoubtedly result in strong enforcement action by the ICO, probably in the form of a monetary penalty notice (MPN) which can be to a maximum of £500,000.
A number of questions come to mind. Is such wholesale disregard of fundamental data security and patient confidentiality reflected throughout the NHS? Is it specific to these two unnamed hospitals? Is it restricted to or worse with clinicians? or certain categories of clinician? And how do the principles of the IT Toolkit match up to reality in the clinical environment in a busy hospital?
Perhaps these are questions that can be answered in a compulsory ICO audit.