Giving staff quick and efficient access to patient information while ensuring that such data does not fall into the wrong hands is a key challenge facing the NHS

In recent months, data losses in the NHS have been a recurring theme, with trusts disclosing new breaches on a regular basis. So far, the debate has focused on technology but has failed to address the role played by people involved in data disclosures and how this can be managed within the system.

In a recent debate on electronic patient records, health minister Ben Bradshaw said he strongly supported an increase in penalties for NHS staff who breach the Data Protection Act. This followed evidence reported by health select committee chair Kevin Barron, who cited a number of examples of NHS staff accessing records for no justifiable reason.

For this reason, personal accountability and effective audit trails are set to move up the agenda. Human error will never be eliminated, but access to records and data can and should be managed and audited.

Smartcard shortcomings

Sharing log-ons and smartcards to overcome slow access to records is one of the reasons given to explain how so many people gain unauthorised access to data. And then there is the age-old problem of passwords. Recent surveys have shown that heavy users of IT have on average 21 different passwords. The difficulty of remembering so many passwords means there is a risk that some people will write them down or store them on their computers.

The NHS Care Records Service is designed to support patient confidentiality and restrict access to records. However, the smartcards used to control access to this new service have been the cause of much controversy, as they require multiple log-ons and force staff to wait up to 90 seconds for access.

Long log-in and log-out times, experienced when staff change users on a shared workstation, are a serious issue across trusts, with many complaining about the impact on efficiency. As a result, many staff remain logged in to allow other users to gain quick access to workstations.

Such practices can make it difficult to trace accountability in the event of malpractice, increasing the possibility of innocent employees being punished for the negligence or misconduct of others.

New solutions

There is technology out there that represents a compromise. Mayday Healthcare trust, which provides hospital-based health services to around 330,000 people in and around Croydon, recently implemented a new system that allows users to sign on to all applications using one smartcard and pin number, thus improving clinical efficiency, security and accountability.

This kind of technology removes the need to share passwords and can be used to allow access to a well-defined user group. The system allows hospital IT departments to create comprehensive audit trails to track access to applications. It requires no overhaul of existing NHS technology, simply integrating with existing applications.

The Department of Health's Care Record Guarantee pledges that access to records by NHS staff will be strictly limited to staff who "need to know" to provide effective treatment to a patient. If this agreement is to be honoured, the focus needs to be on who is accessing records, rather than how they access them.