The health service's procedures for protecting confidential data are worryingly inadequate, argue Sven Putnis and Andrew Bircher

"Prime minister Gordon Brown has said he 'profoundly regrets' the loss of 25 million child benefit records." BBC, 21 November 2007

"Thousands of criminal files lost in data fiasco" The Times, 22 August 2008

"A new fraud alert was issued by the government this weekend as it confirmed that it had lost another computer disc containing the personal financial details of 40,000 housing benefit claimants." The Sunday Times, 2 December 2007

"A contractor working for the Home Office has lost a computer memory stick containing personal details about tens of thousands of criminals." BBC, 21 August 2008

The above headlines have made all too familiar reading over the last year. With data collection and storage methods expanding rapidly, there are likely to be many more.

Unprotected

We surveyed 105 doctors across 11 specialties and four levels of seniority in a major teaching hospital in London.

Of these, 92 had memory data storage devices ("sticks"), 79 of which held confidential patient information. Only five of the 79 memory sticks had password protection enabled. There is no reason why this lack of security would not be mirrored in surveys across every hospital in the UK and beyond.

These memory sticks are usually attached to keys or ID badges carried inside and outside hospitals. They could easily be mislaid. The Data Protection Act 1988 is clear on the role of data controllers:

Patients have the right to expect us to ensure that personal data is:

  • processed fairly and lawfully;

  • obtained for specific and lawful purposes;

  • adequate, relevant and not excessive for those purposes;

  • accurate and, where necessary, kept up to date;

  • not kept for longer than is necessary;

  • processed in accordance with your rights as a data subject;

  • kept secure;

  • not transferred abroad unless to countries with adequate data protection laws.

Our survey looked at just one of the above rights. It is worrying to imagine whether any of the others are also being so blatantly ignored.

Data collection and processing has undoubtedly made patient care more efficient and allows for far greater assessment of the care we provide. However, it is vital that this expansion in technology is monitored to ensure we uphold patients' rights to privacy. Unless urgent action is taken, it is surely only a matter of time before the NHS adds its name to the above headlines.