In a press release this week, the Information Commissioner’s Office (ICO) slates the NHS for not taking the security of personal information seriously. It claims that a quarter (250) of all data breaches reported to the ICO are from the NHS. According the the Data Breach Table (also published by the ICO), the number of reported data breached from the NHS actually exceeds a quarter, and is claimed to be 305.
The issue here isn’t a discrepancy in the figures, the issue is that NHS organisations are obliged to notify the ICO of every data breach, whereas other organisations, particularly the private sector, are not. Given this situation, it seems that branding the NHS as the worst offender for data breaches may not be entirely true.
Putting these issues aside, there can be no disputing the fact that there are far too many data breaches coming from the NHS and the action taken by the ICO is justified.
Mick Gorrill, Head of Enforcement at the ICO, said:
“Everyone makes mistakes, but regrettably there are far too many within the NHS. Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information. We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so.”
In addition to signing a formal undertaking and promising to do a better job, a serious data breach can be a lot more harmful to an organisation, no matter what sector you are in. There are financial penalties of up to £500,000 for a start, then there is the the brand damage which could cripple your income streams at the source, as customers lose trust and move to your competitors.
Simplify Data Protection Act (DPA) Compliance
The first thing you need to do is identify your current level of conformance. The DPA Compliance Assessment Tool will help you do this: it provides recommendations and offers guidance to help you close any gaps that are identified.
Once you have identified exactly what you need to do in order to become fully compliant with the DPA, you will find the DPA Compliance Documentation Toolkit invaluable. It includes all the documentation templates, which are fully customisable, that are essential for any UK data controller (and UK organisation that is responsible for personal information) seeking compliance with the UK Data Protection Act 1998.
The Assessment Tool and the Documentation Toolkit will enable your organisation to become fully compliant with the DPA. However, to make the process easier and to provide supporting guidance, we have bundled them together with two pocket guides and a set of posters.
You will also benefit from attending our Data Protection Act (DPA) 1-Day Course – in London.