Information Commissioner Richard Thomas told the House of Lords this week that doctors should be fined up to £5,000 if they lose confidential patient data. Giving evidence to the House of Lords Constitution Committee, Thomas said: "If a doctor, or hospital [worker] leaves a laptop containing patients' records in his car and it …
Im not sure how most trusts work, but ours use an entire drive encryption technology. users have to log in with a username and password before getting anywhere near windows. Taking the drives out of the laptop and putting into another laptop to extract data would be friutless. The entireity of the drive is encrypted. It takes away the need for doctors and staff to encrypt valuable data. Why isnt this practise used everywhere? Using Citrix to publish word if patient letters are created? Surely if your not making adequate attempts to protect patient information you shouldnt be working for the NHS and your probably in breach of Caldocott.
Just another soundbite
The greatest number of leaks of personal information are acknowledged to come from the Inland Revenue, the Benefits Agency and the DVLC. Some years ago I tried to get the Data Protection Registrar (as she was known then) to investigate a blatent breach. An ex-copper who worked there told me on the telephone that my complaint would be frustrated and ignored, as they had a 'very good working relationship with all the Government agencies'.Data protection is important, but the current set-up works as a corrupt club. It is no surprise that they pop up now and again to make some noise and attempt to justify their budget.
Encryption is simple!
Just scan in a doctors handwritten notes. If they are anything like their prescription forms, it will be impossible to read the data.
"Just scan in a doctors handwritten notes. If they are anything like their prescription forms, it will be impossible to read the data."
My pharmacist can crack them in seconds. :P ;)
So now companies will start hushing it up when a laptop goes missing...
Why stop at doctors?
One of the most appalling examples of loss of other people's data was the theft last year of a laptop from an employee of the Nationwide building society. The employee had personal data on several million customers, apparently for no better reason than to conduct market research.
The ICO fined the Nationwide almost a million pounds, but since the Nationwide is a building society, that amounted to penalising the customers for the loss of their own data. That's not a deterrent, it's simply an insult to the customers.
If the Information Commissioner were serious about this problem, he would propose that a company's chief executive and chief information officer should both be fined for the loss of customer data. A fine of one pound per customer whose personal data is compromised, should focus their minds on the importance of securing customers' personal data.
Well, I'm pleased to hear that your trust scrambles their drives, but the introduction of a set of penalties might encourage more of them to Do The Right Thing. Frankly, having a laptop stolen which contains confidential information held in plaintext should get you sent to prison, as should holding it in plaintext and *not* having the device stolen. And this should apply to USB fobs, CDs, over the wire transfer, floppy discs, and *any* other sort of storage device.
The offence is not having the data stolen, it's holding it in plaintext in the first place.
I always laugh at the 'sensitive military plans' going missing. Yeah, right. Only the plans that they want to leak out. But, as usual, the AC is right: if you must have confidential data on a system, use cryptography. Just don't lose the keys ...
Sauce for the Goose?
So this means that Patsy will pay for leaking doctors private details through the MTAS website, does it?
And this means that the minister responsible for the FCO will cough up for leaking thousands of details of Visa applicants through their website, does it?
Or does the word "responsible" have a different meaning when it's the government involved? I wonder if I can find out under the Freedom of Information Act... What do you mean that FOI doesn't apply?
We are all doomed
Absolutely the lack of encryption/localised security should be addressed here ... you cannot delegate responsibility to the users without available commodity (e-)solutions (which we may well see emerge in the future but not now).
However, I am perplexed by our cultural addiction to localised data (whether on a laptop or a desktop). Surely the first focus should be to ensure as much data as possible is centralised and only access over centrally controlled network security. If you can access your session anywhere/anytime, why would any localised data be required! .... Access, even where local and/or encrypted, should then rely on a smart card/token system such that the laptop alone is useless (and even with the card/token still needs access code/password).
Paul, are you psychic?
I think this backs up Paul's post quite nicely....
Human error is unavoidable
All the above points are very salient but the reality is that human error occurs no matter how stringent an organisation's policies are. Tools to stop access to sensitive data are all very well but the really smart baddies will get round them.
Also, all the comments talk about customer or patient records as sensitive data but these are the crown jewels. Any laptop, professional or personal will have something on it that will be deemed to be sensitive, perhaps an e-mail or even a letter to a client confirming the contents of a meeting.
Far better would be to accept human error and adopt tools that react to them. If a laptop goes missing why not wait for it to wake up and then delete all data on it, as it boots. By the time the crook has got past the password he is confronted with a blank PC. The organisation that lost it has a report confirming the delete, where and when so there is no need for fines and negative publicity can be avoided.
- Apple stuns world with rare SEVEN-way split: What does that mean?
- Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit
- RIP net neutrality? FCC boss mulls 'two-speed internet'
- Special report Reg probe bombshell: How we HACKED mobile voicemail without a PIN
- Sony Xperia Z2: 4K vid, great audio, waterproof ... Oh, and you can make a phone call