NHS Digital has suffered a data breach in which 150,000 patients had their confidential data shared without their permission.
The breach affected national data opt-out (formerly type 2 opt-out) patients. National data opt-out is used when patients only consent to their data being used for their individual care. However, GP surgeries that used TPP’s SystmOne software after 31 March 2015 had not passed on this opt-out information, so patient information was used for clinical research. NHS Digital has blamed the breach on a ‘coding error’.
In a statement to parliament, Parliamentary Under-Secretary of State for Health Jackie Doyle-Price MP said: “TPP has apologised unreservedly for its role in this matter and has committed to work with NHS Digital so that errors of this nature do not occur again. This will ensure that patients’ wishes on how their data is used are always respected and acted upon.”
The Information Commissioner’s Office and the National Data Guardian for Health and Care, Dame Fiona Caldicott, have been notified.
Information security and ISO 27001
Information security addresses the need for organisations to ensure the confidentiality, integrity and availability of the information they process. NHS Digital’s failure to pass on patients’ opt-out preferences indicates a failure in its information security management practices.
ISO 27001 is the international standard that describes best practice for an ISMS (information security management system). ISO 27001-accredited certification provides an independent, expert verification that your organisation’s information security is managed in line with international best practice and business objectives.
Achieving accredited certification to ISO 27001 also demonstrates to prospective clients and suppliers that you have a robust information security posture and provides them with confidence in your ability to securely process data in line with business needs.
Free green paper: Implementing an ISMS – The nine-step approach
Thousands of organisations around the world are implementing an ISO 27001 ISMS to safeguard their sensitive data, help avoid financial penalties related to a data breach and improve their ability to tender for contracts where ISO 27001 is a requirement.
This free green paper from IT Governance provides a quick introduction for those who are unsure where to start with ISO 27001 implementation.