back to article Welsh NHS fined £70k for patient psych file leak blunder

The UK's Information Commissioner's Office (ICO) has slapped its first fine on the NHS after a mental health patient's file was leaked in an email gaffe. The ICO handed the Aneurin Bevan Health Board in Wales a bill for £70,000 for sending the sensitive information to the wrong person. A consultant from the NHS organisation …

COMMENTS

This topic is closed for new posts.
Flame

And again the ICO are fining the public purse. STOPPIT!!!

Is the public sector that bad with data, or is the ICO scared of going after the private firms? It seems very disproprtionate the number of reported cases of public vs private.

5
0
Silver badge
Stop

Well...

...as the NHS is amongst the largest "businesses" in the world, then they are likely to make more cock ups. Then add up how many are employed in Local and National Goverment and it suddenly become apparent why.

Now combine that with the sort of information they handle and you can see why it causes a shitstorm.

However the fines should hit the Directors, then it's soon get sorted (well it won't really, they'll just sack the poor sod who did the typo)

2
0
FAIL

Data duplication

"Is the public sector that bad with data?"

Well, as they have to type it in more than once, clearly, yes. Email addresses are so easy to get wrong, which is why most systems capture them once and if you need to email a customer, you select a customer and then their email. You then have visual confirmation. It's not perfect, but it's going to get rid of most errors.

0
0
Silver badge

Who gets the £70k?

If the money goes to the patient whose privacy was invaded, good, although £70k seems like a lot.

If it's just a case of shuffling £70k from one lot of pen-pushers to another, what's the point?

4
0
Big Brother

Re: Who gets the £70k?

The point is the budget holder (NHS) got whacked with a number big enough to make the managers take notice the next time somebody tells them they need to do something to secure their data.

i.e. X is cheaper than another £70k fine.

0
0
Facepalm

Title

Wait...what? Patient information can only be shared by email using start and end-point NHSNet addresses (@nhs.net). From the article, a letter was being emailed to the patient (off NHSNet presumably) but ended up at a different spelling of the name (off NHSNet).

Seems could have happened by paper just as easily as email, though

1
0
Angel

Re: Title

Ideally if the data protection laws were written correctly it shouldn't matter what format the data was in, paper, email, or freaking stone tablets, if the cock up could have been prevented by simple training then they breached the law...

But I'm sure the law is written in a stupid way...

0
1
Silver badge

Re: Title

I had some really stupid arguments with people about NHSnet when I worked in the NHS. Well, to be precise I had some arguments with really stupid people. Trying to get them to understand that NHSnet wasn't some safe, magical land in which no security breach could ever occur was an exercise in frustration. Yes, my frustration got *a lot* of exercise in the NHS.

2
0
Anonymous Coward

Re: Title

Not strictly true.

It is the case that @nhs.net - @nhs.net is the guaranteed safe way to send info between NHS organisations, but @thistrust.nhs.uk to @thistrust.nhs.uk is equally safe for intra-organisation emails as it never leaves the server. The big problem is @thistrust.nhs.uk to @thattrust@nhs.uk where it has to traverse the dangerous interweb and will invariably be lost/intercepted/published on a website/sent to my worst enemy for him to laugh at etc.

0
0
Silver badge
Mushroom

Re: Title

This is exactly what I'm talking about - the idea that NHSnet is magical safeland and all is fine if you don't set foot outside of it. I saw all sorts of confidential data emailed all over the place and when I raised it as issues, the reply invariably came back "it's okay, it stays inside NHSnet".

The NHS is not some small private group of competent people, all with one access level of privilege to see everything within. There is all sorts of granularity and levels of privilege, there are all sorts of distinct areas within the NHS with boundaries of responsibility, confidentiality... And yet the DoH kept repeating this mantra that all was safe within NHSnet. It's like drawing a line in chalk around London and saying there's no need for locks on doors or anyone to have any papers saying what they're allowed to do or not.

You obviously know a bit about this because you hone straight in on inter-trust communications. Yes, there are big howlers like this. But the whole system is riddled with countless bad practices every day. And always the same mantra: it's safe inside NHSnet. For example, you have no idea how hard we had to fight to get even basic confidentiality requirements put in place in CfH / Spine. Statements went out to concerned memebers of the public that they need not worry because all people had committed to strict NHS confidentiality requirements. Whilst at that stage, what it meant was that every receptionist and secretary at every practice in the country had scrawled their name on a bit of paper when they started and could then look up data on anyone in the country. Yes - CfH really was that bad when it first started being set up. I know, I looked up my medical records that were under a completlely different trust with no audit trail of who had looked it up. I could have as easily looked up anyones and any of the secretaries at the place could have looked up anyone else in the country. Let me repeat that - they didn't even have an audit trail in place to see who accessed what. We eventually - only by raising a big fuss - got some basic security measures in place.

Lot of good people in the NHS. But not many at the top. And don't even get me started on the corruption when it comes to American corps milking the NHS for profit and giving fuck all in return!

The biggest reason I left the NHS was because I recognized that the actual problems were above the level that I had the authority to fix. (Well, that and a creepy married manager who fancied me).

Okay, rant over. I assume you're still inside the NHS. Good luck!

2
0
Big Brother

Re: Title

DPA98 has been around long enough that everybody by now should know it is media agnostic.

So yes, losing those clay tablets holding the patient records for a living person is covered by the ACT.

0
0
Joke

We all know it was because no one can understand doctors handwriting and he was obviously using his iPad to send the email.

1
0
Unhappy

Another blow to the public.

Frankly I resent the way the ICO go after public bodies, and leave the private sector alone.

I will be a patient one day, and my local Trust will have no money left after payng thee £100,000 salaries of directors and the fines the ICO is dishing out.

4
0
Silver badge

Re: Another blow to the public.

The thing is, a lot of data collected and held by public bodies, is in situations where a subject had NO CHOICE. I have to register with my local authority for Council Tax, HMRC for PAYE, my GP for healthcare, or HMG for the census.

I *can* choose whether to give my custom to the FuckUp bank of Whocares, or ShittyBonk corp inc.

Also (as this case demonstrates) public bodies tend to hold *very* sensitive data. Personally I couldn't care 2 hoots if people saw my Amazon shopping list. But I would be very upset if my medical details were sprayed to all and sundry.

2
1
Unhappy

Re: Another blow to the public.

Three times I have complained ot the ICO about people's bank account details being passed to me (I have no need to se them) by insurance comapnies.

Not interested.

Emailed about a BLOG which identified patients.

Response: a BLOG is for journalistic purposes so is exempt fromt eh Data Protection Act.

2
0
Anonymous Coward

Re: Another blow to the public.

I don't care...

I'm normally fit and well, had some tests for a mystery ailment 2 years ago which has cleared and was probably stress, I have been to my local walk in following a road traffic incident, sporadic elbow pain and an airsoft injury to my right hand.

My last prescription from my gp was for 200mg ibuprofen for pain on intercostal movement, and the time before that was for 500mg paracetamol after a minor shoulder injury.

My second nearest large hospital prescribed a peak flow meter to do continued testing, and I blew a minimum of 500 consistantly.

I have been admitted to A&E in 1993 following a head injury where I was kept in overnight.

My usual BP is 130/80, with a resting heart rate of 100 and SpO2 is 98.

Bow unto me, for I have shared my medical history online!

0
2
Silver badge

Re: Another blow to the public.

"Bow unto me, for I have shared my medical history online!"

Errr, you seem to have ticked the Anonymous Coward box. I assume you're going for irony here?

4
0
Anonymous Coward

Re: Another blow to the public.

Given that a lot of us are posting behind a screenname anyway...

Yes. The point was the irony of anonymously publishing that.

Now, either I can stay Anon to be from the same username as that post, or post as me in order to facepalm. Tough choice.

0
0
Ru
Facepalm

Re: "I don't care..."

Gosh, well aren't you a brave anonymous coward.

I note there is nothing of interest in the history you posted, assuming it is true. Perhaps you'd be less keen to share anything about a history of mental illness, or surgery following an unfortunate intimate vacuum cleaner accident, or perhaps the results of a blood test that came back positive for something communicable and unpleasant?

The article, if you bothered to read it, involved a psychological evaluation which presumably falls into the category of things you might not want the world to know.

If you cannot comprehend why someone might be unhappy at personal, private information being released into the wild by an organisation they have to trust, perhaps you should not comment on articles about such?

1
0
Big Brother

Re: Another blow to the public.

"Bow unto me, for I have shared my medical history online!"

that is the choice that the law makes clear, you the data subject can share your information with anyone you choose......but.......NHS employees, et al that hold your information in trust are not allowed to be careless with it.

0
0
Angel

Dictatorial?

Do you chaps dictate your articles?

Shouldn't the strapline be "Email address typo leads to ICO spank firest?

:)

0
0
Flame

"Response: a BLOG is for journalistic purposes so is exempt fromt eh Data Protection Act."

WHAAAAAT??????

The ICO told you a blog is exempt from data protection??? thats priceless!

you should send that in to "Private Eye" or "Have I got news for you"

These bloggers really have it easy - first they seem to be outside all laws practices anf guideline that real journalists have to live by , now they are immune to the data protection act? wow!

0
0
Silver badge

Presumably the blog wasn't from an organisation that had collected the data - so it's nothing to do with the ICO.

If a blog, or any other news program, wants to say that Gordon Brown had a sex change or that Boris Johnson is receiving treatment for his baby eating addiction then that's potentially libel and it's upto the courts to decide.

The 'any data about me is covered by the DPO' angle was tried when it first came out. IIRC by some government minister claiming that images of him coming out of a nighclub with a very young lady were subject to DPO - was laughed out of court

0
0
Meh

Ermm ...

the blog was by a member of staff at a hospital, a fact pointed in the emil to the ICO.

Mibbe I should send the response to Private Eye ....

0
0
Anonymous Coward

Methinks this is just the ICO trying to validate their existence. If they didn't fine anyone then people might be curious what they actually did.

Since they are incapable of fining private companies due to a scrotum deficiency then the only logical choice is to fine public ones.

1
0
FAIL

The Management just don't get it.

The big problem seems to be that very senior staff in the NHS - including some Chief Execs and Caldicott guardians - don't have the first clue about how to manage and process personal data appropriately. Until and unless they get fined into taking it seriously, there is a danger that they will carry on in ignorance. They seem to understand being hit in the wallet, even if it is we taxpayers that end up with the bill.

I personally know of doctors who are screaming blue murder about data being sent out of trusts without appropriate precautions, and it falls on deaf ears.

"All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal."

0
0
This topic is closed for new posts.

Forums