Few would take issue with a statement that the NHS and its associated parts need to be trusted to maintain the confidentiality and security of personal information. The principles of information security require that all reasonable care is taken to prevent inappropriate access, modification or manipulation of data. In the NHS, the most sensitive data is, of course, patient record information.
NHS Connecting for Health describes the three cornerstones as confidentiality, integrity and availability. Information must be secured against unauthorised access (confidentiality), information must be safeguarded against unauthorised modification (integrity), and lastly information must be accessible to authorised users at the times they require it (availability). But what happens when these principles are breached? What immediate steps should be taken and how does the Data Protection (Monetary Penalties) Order 2010 work in practice?
From 6 April 2010, the Information Commissioner has been able to impose a fine of up to £500,000 for serious contraventions of Data Protection principles. The breach must be such as to have been likely to cause substantial damage or distress. In addition, the data controller concerned must either:
- Have deliberately carried out the contravention.
- Have known (or ought to have known) that there was a risk of the contravention occurring but failed to take reasonable steps to prevent it.
The government has estimated that the Information Commissioner will use his powers to impose a monetary penalty in around 8 cases a year. Safeguards have been put in place to endeavour to ensure that penalties are fair and a monetary penalty notice will only be appropriate in the most serious situations.
This link will take you to the NHS Connecting for Health website with links to the following NHS Codes of Practice and Legal Obligations:
Confidentiality: NHS Code of Practice
Information Security Management: NHS Code of Practice
NHS Information Governance: Guidance on Legal and Professional Obligations
On 24 November 2010, the Information Commissioner served the first two organisations with monetary penalties for serious breaches of the DPA. The first penalty of £100,000 was issued to Hertfordshire County Council for two serious breaches where Council employees faxed highly sensitive personal information to the wrong recipients. The second monetary penalty of £60,000 was issued to an employment services company for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
This link takes you to the Information Commissioner’s Office Statutory Guidance on how the power to impose monetary penalties will be used.
Where the Information Commissioner’s Office decides to take action to change the behaviour of an organisation (in addition to imposing a monetary penalty) it may:
- Issue undertakings committing an organisation to a particular course of action.
- Serve enforcement notices.
- Prosecute those who commit criminal offences under the Act.
- Serve assessment notices.
- Conduct audits.
- Report to Parliament on issues of Data Protection concern.
In July 2011, no less than 5 NHS Trusts were required to provide undertakings. The breaches involved included:
- Loss of one individual’s medical records.
- Transmission of a fax containing sensitive personal data to the wrong recipient.
- A discovery of 29 patient records containing sensitive information in a public place.
- The faxing of sensitive personal data to a member of the public on more than one occasion.
What you should do if you become aware that a breach has
Organisations must respond to and manage data security breach incidents appropriately. There are four important elements to any breach-management plan:
- Containment and recovery – you should have a recovery plan and procedures for damage limitation.
- Assessing the risks - in particular, you should assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen.
- Notification of breaches – this includes considering notifying the individuals concerned; the ICO (see below); other regulatory bodies; other third parties such as the police and the banks; or the media.
- Evaluation and response – if necessary, you should update your policies and procedures
When to report a breach to the ICO
There is no legal obligation for organisations to report breaches of security which result in loss, release or corruption of personal data.
The ICO does however say that serious breaches should be brought to the attention of his Office. Serious breaches are not defined but the following factors should be taken into account when considering whether or not to report:
- The potential harm to data subjects – this is the overriding consideration in deciding whether a breach should be reported
- The volume of personal data lost/released or corrupted – each case will need to be judged on its own facts but the guidelines suggest that any breach involving 1,000 or more individuals ought to be considered for reporting
- The sensitivity of the data – where the release of data could cause a significant risk of the individuals sustaining substantial harm, there should be a presumption to report even if smaller amounts of personal data are involved.
Examples of serious breaches could include the loss of medical records during an office move or the loss of an unencrypted laptop/CD.
Whilst there is no legal obligation to report, the spirit of the guidelines does encourage reporting where the above criteria have been met. Furthermore, it is clear from the wording of recent penalty notices that whether or not a breach has been reported will be considered as a mitigating factor by the Commissioner when taking into account what penalties to impose for breaches.
There is increasing discussion over the introduction of mandatory breach notification and The Privacy and Electronic Communications Regulations (amended in May 2011) introduce mandatory breach notification by providers of a public electronic communications service. It may only be a matter of time before that obligation is rolled out to other public and private bodies.
In the words of the ICO’s 2011 annual report, “information is the currency of democracy” and organisations need to ensure that they have adequate safeguards and procedures in place to protect that information held. With increasing talk of mandatory reporting obligations, the recent action taken by the ICO over the last 18 months is likely to be just the start of things to come. Indeed in its 2011 corporate plan the Information Commissioner stated that he will make early and effective use of the new data protection powers to impose civil monetary penalties on data controllers who seriously get it wrong.
Data controllers risk getting it wrong at their peril.
Bevan Brittan has substantial experience in advising healthcare professionals in connection with data protection issues. If you would like to discuss any of the issues raised in this article, please contact us.