Data security in the NHS is being put at risk because managers are focusing on financial issues and structural reforms, the Information Commissioner has warned.

Christopher Graham said the reforms were “about reorganisation and about cuts”.

“Information security is all too easily seen as a back office function – actually it is absolutely front line in the changes that are going on,” he said.

“If you regard information rights as a back office function, we are heading for disaster. These [government NHS] reforms can only work if we have very good patient choice and monitoring of the system, and the opportunity for using all the data that is available in a safe way.

“I’m not confident that the risks are being managed. I’m hearing hard pressed managers are putting almost everything ahead of information rights.”

The Information Commissioner’s Office is the watchdog charged with ensuring organisations observe the Data Protection Act.

Mr Graham said he knew of one NHS finance director who said that every day he was faced with decisions between “what would lose him his job and what would get him sent to prison [for misuse of public data]”.

He said information use was being given low priority, even though better use of data is central to the success of the reforms, as it is important for both patient choice and effective monitoring of the provider market.

Improved services also depended on the “pseudonymisation” of patient information, which could be made available across the system while still preserving privacy, he added.

Mr Graham revealed the Information Commissioner’s Office was developing a national strategy for information rights, and that health and social care had already been identified as a priority sector.

He also said there was evidence that the health service is “not as good as it should be” in safeguarding data.

“At  local GP practice level, there are far too many incidents about personal information,” Mr Graham said.

He added: “It is all too easy to blag personal information over the phone, just by ringing up the surgery”.

He warned that health organisations breaching the Data Protection Act would face action from the Information Commissioner’s Office.

Topics