Data breaches at four trusts have prompted the Information Commissioner's Office to remind the health service about patient record privacy. All NHS trusts have been reminded about data security after breaches at Cambridge University Hospital, Central Lancashire Primary Care, North West London Hospitals and Hull & East Yorkshire …
This is just embarrassing
A written undertaking - that's going to hurt. Did it come with a stern word and a harsh glance over the top of the spectacles?
When will someone (anyone?) in the public sector grow a pair and start sacking these idiots for gross misconduct?
"signed formal undertakings"?!?
"The ICO said that all four trusts have signed formal undertakings to process personal information in line with the Data Protection Act."
Aren't they legally required to do this anyway? Maybe they just need a little bit of reminding. Surely giving certain IT bosses the sack would drive the message home fairly quickly?
Nothing will change
Nothing will change in any organisation until such blatant breaches of data security are dealt with via criminal charges or large civil fines for individuals guilty of said breaches.
The idea of a publicly funded body fining other publicly funded bodies who will pay it out of taxpayers money is ridiculous.
@"signed formal undertakings"
"Surely giving certain IT bosses the sack would drive the message home fairly quickly?"
It's usually not the fault of the IT bosses. They're powerless to enforce an IT policy that prevents this sort of mis-use of the data. Or did you think that it would be IT policy to attach the passwords to USB sticks?
The problem is a culture of convenience that wants to take the easiest possible route to a goal, regardless of risks taken with the data, and ignores any warnings about data protection. If the IT manager tells clinical staff not to take the data home, he'll be ignored. If he complains about this to management, he'll be ignored. If he tries to prevent mis-use by locking down systems to stop removal of data, he'll get told in no uncertain terms that the clinicians must be allowed access to the data however they want it.
did you hear the one about...
A UK! NHS health trust's (no names) dept insisted that thier entire Dept was issued with the latest laptops and docking stations for thier staff. (pre-safeboot rollout) even though they rarely ever went or had need for a pc off site.
(yet another example of: keeping up with the joneses and lets waste £££ just to keep next years budgets up.)
They were so lazy they coudlnt be bothered to take the laptops off the desks and lock them away at night in thier lockable desk drawers.
Then one day they left the blinds open (probably had been left like that for weeks) and probably the (insecure) sash windows unlocked, and suprise suprise the next day when they turned up for work all the laptops had been nicked.
Sounds much like the one about [major mobile phone teleco in 'middle' england] senior users not having corporate backups of corp data held on thier zillions of laptops.
Then one day, someone cases out the HQ, and the security sweeps of the staff and takes a large window out and casually walks around one of the buildings for an hour or two and helps themselves to the very latest expensive(toshiba/dell) laptops and all the latest corporate data that the competition would kill for.
(moto of this one: the security staff are there to maintain site security, not work as junior staff filling up the photocopiers/Printers.)
[i belive this cockup has now been fixed and security seriously beefed up]
mines the matt black one with the night vision goggles in the deep pockets....
Do they bother to train staff?
Are new hires sent to a classroom where someone stands up and says "well, you *can* put data on a USB stick (like this) or a CD (like this), but if you do you will be fired and you will face criminal charges when the data is lost."
I can remember the days when Lotus 1-2-3 came with several fat reference manuals, ditto for WordPerfect. In fact, even Windows had a reference manual for users. Now we have infinitely more complicated software, but manuals printed by the software originators have utterly disappeared.
There is an education and training gap; people are using computers without understanding the consequences of their actions; endless data losses are one result.
Another result, a personal peeve, is the email with a gazillion addresses stuffed into the "To:" header instead of using envelope addressing via BCC.
if they are not unsuccessfully driving nail bomb cars into airports, they are losing data left right and centre.
Can you really trust your health to these idiots? Get rid of the lot of them, and reduce taxation.
No one ever gets fire in the NHS - the same as any other part of government.
Until that happens, individuals will continue with the cavalier attitude.
Write the rules for the employees concerning the handling of data and make it known people face instant dismissal for breaking the rules.
It's the same as a doctor or nurse breaking patient confidentiality and it needs to be treated just as seriously, if not more so.
re: culture of convenience
Alternatively, accept the culture, and design the systems as failsafe - here, for example, to accept human nature, and anonymise standard downloads. Or, following a popular idea in this thread, add a Windows pop-up that says "are you sure? Losing this file could cost you your job".
Mind you, I'm not sure I want a job that pays peanuts, lacks training, and threatens incorrect data entry or file downloads with the sack - better to work at a bank.
It is my job to advise staff on the protection of personal data and I agree with what has been said especially the part about sack a few people. Not necessarily the bosses, mind you would not be a bad thing, but a few frontline staff. The problem is that until the Trusts put loss of data high on the agenda this will always happen.
On the flip side there are 1.2 million people who work for the NHS and deal with 60 million records and if you are telling me there will never be mistakes then you are having a laugh. Of course there will be mistakes and at times costly.
Get rid of them
Its totally unacceptable that individuals manage to loose known valuable information due to their own stupidity. They should never be allowed to handle similar information at any time in the future...and they should face instant dismissal.
It really makes no difference which position they hold in any company. Simply fire them as an example to other lazy morons who treat peoples, and companies valuable information with total disregard.
There should also be a clause in their contract that allows them to be heavily fined for loss of such valued electronic information for which they are responsible for safe guarding.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...