14 DAY TRIAL // The UK Information Commissioner's Office has the National Health Service (NHS) in its crosshairs and threatens with higher penalties if health organizations continue to lose sensitive patient information.
In a statement released today the Information Commissioner Christopher Graham characterized NHS' data protection violations as a systemic problem.
"The policies and procedures may already be in place but the fact is that they are not being followed on the ground.
"Health workers wouldn’t dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number.
"The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data," the commissioner said. [pdf]
Graham's comments come as his office is investigating the loss of a laptop containing 8.3 million patient records by the NHS North Central London Trust.
Five health organizations have already signed undertakings this year to improve their data handling processes after experiencing various breaches. For example, in February 2011, a staff member from the Ipswich Hospital NHS Trust misplaced 29 patient records after taking them home.
During the same month, a staff member from the Dunelm Medical Practice in Durham faxed two discharge letters containing patient information to the wrong number. The faxes ended up at a third-party organization.
Basildon and Thurrock NHS Trust, East Midlands Ambulance Service NHS Trust and Lancashire Teaching Hospitals NHS Foundation Trust are the three other health organizations that agreed to sign undertakings.
In an interview for the Independent, Commissioner Graham said that courts don't take data violations seriously enough and that stiffer penalties are required. The ICO can currently issue fines of up to £500,000 for repeated violations.