Do the results of an anonymous survey into data protection practices and attitudes of junior doctors provide justification for compulsory audits?
In March of this year the Ministry of Justice announced a consultation to consider whether the Information Commissioner’s Office (ICO) should be given powers to require NHS bodies to submit to compulsory audits by the ICO of their data protection practices. The required statutory designation, under section 41(2)(b) of the Data Protection Act 1998 (DPA) would mean that “public authority data controllers within National Health Service Bodies (NHS) in England, Wales, Scotland and Northern Ireland” would be added to central government departments in the group of data controllers subject to these compulsory audits.
Given the nature of the personal data it deals with the NHS is clearly a high risk area, and has been subject, particularly over the last two years, to significant enforcement action by the ICO. The Information Commissioner himself, Christopher Graham, said in 2011
There’s just too much of this stuff going on. The senior management is aware of the challenge but the breaches continue. Whether it’s a systemic problem in the NHS or an epidemic we have got to do something about it. Health service workers look after their patients very carefully but don’t always look after their data very carefully
In some ways these compliance problems might be seen as surprising: all NHS bodies are required to comply with the comprehensive and demanding IG Toolkit and in my experience there are some extremely skilled and dedicated people working in the field of NHS information governance.
This makes the findings of a small, but significant, study at two hospitals of the attitudes and practices of junior medical staff towards security of patient identifiable information particularly concerning. And, perhaps, the justification for compulsory ICO audits is made out.
The study, published in the Journal of Patient Safety, involved asking 50 junior medical staff across two unnamed district general hospitals to complete an anonymous questionnaire aimed at assessing
the physicians’ current practice as well as their awareness of the Data Protection Act and Caldicott principles with respect to storage and disposal of patient identifiable information.
The results are dismaying: they include
Sixty-two percent of physicians surveyed held patient identifiable information electronically, outside of normal NHS use. Thirty percent of physicians used portable memory sticks, of which, 68% were not password protected. Ninety percent of physicians used patient ward lists in paper format with 18% frequently using a domestic waste bin for disposal
and in a small number of cases data was said to have been stored on personal computers.
All of these practices in themselves constitute serious contraventions of the DPA. In the event that they might give rise to loss or theft of data they would undoubtedly result in strong enforcement action by the ICO, probably in the form of a monetary penalty notice (MPN) which can be to a maximum of £500,000.
A number of questions come to mind. Is such wholesale disregard of fundamental data security and patient confidentiality reflected throughout the NHS? Is it specific to these two unnamed hospitals? Is it restricted to or worse with clinicians? or certain categories of clinician? And how do the principles of the IT Toolkit match up to reality in the clinical environment in a busy hospital?
Perhaps these are questions that can be answered in a compulsory ICO audit.
4 responses to “Data Protection audits in the NHS”
My reply became so long that I posted it on my blog, rather
than filling yours with my thoughts:
As an IG manager working in the NHS I am all too aware that
whilst most organisations are saying they are 100% compliant and
back this up with a satisfactory IG toolkit score this hides the
real truth. For a start of the NHS organisations who have been
issued a financial penalty by the ICO most of them had satisfactory
toolkit scores. The experts (the IG managers like myself) are often
pressurised into making the toolkit score look good by collecting
bits and pieces of evidence which whilst they satisfy the toolkit
go absolutely nowhere in terms of proving IG compliance. Whilst in
theory the IG toolkit should be a good indicator in most cases it
is purely a tickbox exercise. Where this is not backed up is by the
staff who may read the polices but choose to do their own thing
anyway. As a service the NHS is not on top of technology and it is
so much easier for junior docs bought up in a facebook and twitter
world to carry on using a similar approach to their work, and want
to have instant access and instant sharing – something most NHS IT
systems just do not provide. I know of some organisations who score
level 3 across all requirements but haven;t even got half the
policies in place – maybe a bit of “poetic licence”. So yes a n
indepenadnat audit might help – but don’t simly audit the toolkit
get out there and talk to people. OF course the last time i heard
there were not enough ICO staff to audit every NHS organisation in
the country – maybe a job opportunity there then!
Clearly, contravening DPA cannot be accepted, but in order
for it to be addressed constructively, the questions are why it
happens and on that scale? This is not a question of justification,
but there is a need to understand to what purpose this happens in
order to devise appropriate educational tools, alternative IT
solutions or sanctions. Responsibility for this should rest with
NHS employing organisations and IT departments who should reassure
I have not worked in the NHS but having trained within a number of NHS organisations, and discussed the toolkit with those at the sharp end, I would echo Normski’s comments. The feeling in each of my sessions was along similar lines.
1. On its own the toolkit is an excellent and thorough piece of work.
2. The process behind the toolkit unfortunately becomes an end and a distraction in its own right
3. This leads to a lack of focus on the important – effort being put into completing parts of the toolkit rather than prioritising fixing what is wrong
4. The process therefore ties up experienced and scarce resources which in reality would be better employed doing the job rather than satisfying the bureaocracy