An email sent by the NHS advice service mistakenly disclosed personal information about patients, although it did not leave the health service. The organisation's annual report for 2008-09 reveals that the information, including the names, addresses, NHS numbers, dates of birth and clinical data of about 100 patients, was …
Quote: "NHS Direct takes data protection very seriously and we regularly review our processes and train our staff in order to ensure that we fulfil our responsibilities in this area." That's a lie. Proof:
"... this happened when a spreadsheet was emailed to three people in error."
a) "spreadsheet" + "emailed": FAIL.
b) "spreadsheet" + "emailed" + "to three people": Catastrophic FAIL.
c) "emailed" + "in error": Final, irrevocable proof that they...
- do NOT train their staff in any meaningful way
- do NOT take data protection seriously
- do NOT fulfill their responsibilities in this area.
End result: Complete, utter, FAIL.
You missed the bit where the spreadsheet was a photo of a screendump printed out and placed on a wooden table before being pasted into a spreadsheet.
Hardly a major failure. The information didn't leave the NHS so everyone who saw it would already be bound by patient confidentiality rules. Every company I've ever worked for has used spreadsheets for emailing information, at least the NHS is acting responsibly by holding its hands up and admitting it.
Just give the whole lot to Google to look after --- and make it publicly available.
We might just as well google for each other's personal details as find them on park benches and the back seats of cars.
isn't between the patient and ALL of the NHS. So data ending up with the wrong employees is a breach of that confidentiality. At least they're owning up to it but still they're not exactly showing trust-inspiring levels of competence.
-- "The information didn't leave the NHS"
This isn't guaranteed. The spreadsheet was emailed to "another part of the health service" - depending on their definitions, it's entirely possible that the email in question travelled over the Internet, and could therefore have been intercepted at any one of a number of points along the way...
If it was emailed, it *should* have gone over NHSNet (which has been renamed, but I can't remember what to, N3 I think) which has a separate encrypted backbone and shouldn't end up going through any unapproved ISP's.
I should imagine you are correct that any NHS email address would have been routed over N3.
Glad to know that our data is completely safe as surely no employee in their right mind would have the gall to put an internet email address into the CC field....
In this case you are probably correct, as the sender and recipient would almost certainly have been using NHS mail which is secure end-to-end between nhs mail addresses [@nhs.net].
However, the principle doesn't hold generally, as [unlike social services and MoD] there are many parts of the nhs that use @nhs.uk addresses, which are not secure outwith their own organisation, and so are inappropriate for sending patient data to other domains [including other @nhs.uk and @nhs.net adressees], as this traffic would be routed over the internet.