The Information Commissioner’s Office has expressed its concern over the number of data loss incidents being reported from within the NHS, highlighting the latest two cases of severe breaches in the health service.
Stoke-on-Trent was crticised for having potentially "destroyed or misfiled" about 2,000 paper physiotherapy records. Basingstoke and North Hampshire NHS Foundation Trust, meanwhile, was found to have emailed hundreds of patient records via unsecured email to a department with "no business need to have access to the excessive amount of clinical records".
According to the ICO, approximately a quarter of all reported data breaches are submitted by the NHS. "Everyone makes mistakes, but regrettably there are far too many within the NHS," said Mick Gorrill, head of enforcement at the ICO. "Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information. We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so."
Both trusts have agreed to implement measures to improve security, however, it appears that neither trust in this case was fined by the ICO, which earlier this year introduced an increase maximum fine of £500,000 for severe data loss incidents.
Shortly after its introduction, ICO deputy commissioner David Smith said that it was only a matter of time before the watchdog handed out its first £500,000 penalty, although it remains unclear exactly what nature of data breach would attract this amount of fine.