High profile data losses have led to tighter sanctions, which will affect NHS organisations, says Simon Charlton

In the six months up until May 2009 the Information Commissioner’s Office took action against 14 NHS organisations. The office wrote to the Department of Health requesting that the NHS as a whole improves its data security immediately.

Information governance officers and managers should look at Cross Government Actions: mandatory minimum measures

In September 2008 an NHS-wide directive stipulated that personal data should not leave NHS premises on laptops, CDs, memory sticks, etc, unless it has been encrypted. Password protection is not enough.

The Information Commissioner’s Office now obtains formal undertakings from offending organisations that they will process personal information in line with the Data Protection Act 1998 and implement security measures, especially encryption.

NHS organisations which have been investigated and had action taken against them include NHS Camden, where computers containing unencrypted details of patients’ names, addresses and medical diagnosis were left beside a skip. They were illegally removed and never recovered.

NHS Brent suffered the theft of two laptops containing the personal information of 389 patients, including some health details. The laptops were stored in a locked office, but were left on a desk in breach of the primary care trust’s security procedures. The equipment was not encrypted.

NHS Brent has given an undertaking in similar terms to those mentioned above and an enforcement notice has been served on NHS Camden - failure to adhere to its terms is a criminal offence and could lead to prosecution.

Following a number of high profile personal data losses a series of reports have been produced. Of wider impact has been a report by cabinet secretary Gus O’Donnell on data handling procedures across government, as part of his data handling review.

Information governance officers and managers should look at Cross Government Actions: mandatory minimum measures, a seven page document on the Cabinet Office website. This is a set of mandatory minimum measures to protect information. They oblige individual departments and agencies to assess their own risk. This document will be updated with future lessons learnt and new developments.

New sanctions

With the Criminal Justice and Immigration Act 2008 the secretary of state can, through secondary legislation, introduce an order that will impose criminal sanctions for the unlawful obtaining of personal data. Summary conviction can result in imprisonment for up to 12 months and/or a fine up to £5,000; on indictment imprisonment up to two years and/or an unlimited fine.

The act also introduces a new section, 55A DPA, which allows the information commissioner to impose mandatory penalties where there has been a serious breach by the data controller of the data protection principles.

The information commissioner would like similar powers as the Financial Services Authority to fine - up to 10 per cent of the offending organisation’s turnover.

The FSA has fined the Nationwide Building Society £980,000 in February 2007, and in 2008 the Norwich Union was fined £1.28m; both in relation to data security leaks.

Clearly such a power could be a significant deterrent in NHS organisations.

Proposals within the Coroners and Justice Bill would allow the Information Commissioner’s Office to issue assessment notices, which would apply to central government departments and designated public authorities.

This assessment process could make use of information notices, which can be served on data controllers, requiring the provision of specified information. The assessment notices would, in turn, allow the office to enter premises and examine documents, obtain copy documents and make staff available for interviews.

This power could be exercised if it is thought the data controller was not complying with data protection requirements.

The information commissioner will issue an assessment report specifying whether the data controller is complying with the data protection principles and any recommendations.

Again the data controller can appeal to the Information Tribunal against such a notice.

There is an urgent need for information governance to be taken seriously at board level and a need for sufficient importance and resources to be allocated to it.

This has been a common criticism throughout all of the government reports and until that happens, these data leaks will continue, which can lead to embarrassment, loss of reputation and sanctions.