In 2016, the Information Commissioner’s Office (ICO) issued several monetary fines to healthcare companies for infringing the Data Protection Act (DPA) by unintentionally disclosing patients’ sensitive data.
Last year’s ICO enforcements
Whitehead Nursing Home was fined £15,000 following the loss of an unencrypted laptop brought home by a member of staff. It contained the confidential and sensitive personal data of 29 patients (including their names, dates of birth and medical conditions) and 46 members of staff (including reasons for sickness absence and disciplinary matters).
Regal Chambers Surgery, a GP practice, was fined £40,000 for disclosing a child’s record without the consent of his mother.
Chelsea and Westminster Hospital NHS Foundation Trust was fined £180,000 for disclosing more than 700 email addresses of users of a HIV service. In two instances, email addresses were entered into the ‘to’ field instead of the blind carbon copy (bcc) field.
Blackpool Teaching Hospitals NHS Foundation Trust was fined £185,000 for inadvertently publishing private information of 6,574 members of staff on the website for 11 months.
Staff misconduct at the heart of the problem
What do these organisations have in common? Staff misadventure is at the heart of the data breaches. The cause can be linked to the following:
- Poor IT knowledge;
- Staff unaware of internal security procedures and policies;
- Staff unaware of their duties and responsibilities under the DPA.
In short, lack of staff awareness training.
As data controllers, healthcare companies should comply with all eight data protection principles and make sure that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”, as mandated by principle 7. The DPA principles apply to the entire organisation, staff included.
Staff training to reduce data breaches
Rolling out a staff awareness programme will give staff a better understanding of their compliance requirements, your organisation’s security policies and procedures, and basic knowledge of information security best practices to reduce preventable mistakes.