Feeds

back to article ICO tries to justify hefty NHS data breach fines

The UK's data protection watchdog has defended its civil monetary penalty regime after it was criticised for the amounts of fines levied on public health bodies. Earlier this week Christopher Fincken, the chairman of the UK Council of Caldicott Guardians, said that the money NHS bodies were using to pay fines levied on them by …

COMMENTS

This topic is closed for new posts.

Page:

Nev
Bronze badge

Fine those responsible and those in charge.

Maybe they'll start taking things seriously if they had to pay for their **** ups...

22
0
Anonymous Coward

Re: Fine those responsible and those in charge.

Spot on. Folk in jobs where they allegedly have lots of responsibility (whether private sector or public sector) claim they have to be paid lots of money to take the responsibility. When things go right, they personally take credit for it, and pay themselves yet more money. But when things go wrong, they are NOT held responsible. So, either don't pay them so much in the good times, or hold them responsible for the bad times. Or preferably both.

19
0
Silver badge
Meh

Too slippery to catch out

Simple, those responsible should lose their jobs, sadly by the time theymgetnroundmto this they have moved on, left to go to another similar job on the old boys network.

They also usually leave with a large payoff, pension rights and other bonuses then move straight into the samemjobnwith a different authority.

They are so slippery it is also difficult to point the finger of blame at them, they are clever enough to delegate and then absolve themselves of any responsibility.

The solution would be to put in place an insurance clause in their contract that states the pension, bonus payouts, severance payments can all be reclaimed should any detrimental scandal or wrong doing take place for up to 10 years after they have gone.

6
0
FAIL

Public vs Private

It seems our ICO is great at punishing public bodies, but can't seem to take the same line with private companies - when was the last time you heard of a private company being fined like this? The only one I can think of was a law firm that was already insolvent by the time they got around to fining it. Easy targets?

12
1
Silver badge

Re: Public vs Private

or maybe private bodies are more careful when it comes to protecting customer data.

2
9

Re: Public vs Private

and if you believe that I have a business proposition for you...

Porcine Landing Strips

10
1
Anonymous Coward

Re: Public vs Private

"or maybe private bodies are more careful when it comes to protecting customer data."

Unlikely.

However, there is less of a duty to report breaches within the private sector so companies can lose a lot of customer data and only worry about it if it finds its way into the news so there is always a greater number of "breaches" in the public sector.

Added to which, when the private sector does breach, the ICO seems reluctant to issue the same level of penalty - for example, in March, a private healthcare provider lost medication records for 2000 patients and the ICO was happy with a "commitment to take action."

It seems that the ICO is happy for the private sector to promise to improve but the public sector gets the CMP approach.

8
0
Silver badge

Re: Public vs Private

> Unlikely.

Why?

2
2

Re: Public vs Private

Or more realistically Private Bodies don't notify the ICO of their failings unlike NHS bodies who are required to do so as part of their returns to the DoH but hey why let facts ruin a good theory.

4
0
Silver badge
Holmes

Re: Public vs Private

There is also the problem of "dark matter" - losses undetected that went into the heat sink (a USB stick in the trash being carried off for incineration) - losses undetected that went into someone's toolset (a USB stick falling victim to dumpster diving).

"There are known knowns; there are things we know that we know.

There are known unknowns; that is to say there are things that, we now know we don't know.

But there are also unknown unknowns – there are things we do not know we don't know."

If Rumsfeld is to be remember for anything except asshattery, this should be it.

2
0
Anonymous Coward

Re: Public vs Private

Or that public bodies tend to be carrying more sensitive material and their loss is much more worrying.

If Tesco lose my data, people get to see my shopping habits and my credit card details? They can buy me off with a fulsome apology, free shopping and get a bollocking from my bank.

My hospital attendance record fluttering down the street? I'd want someone's testicular parts flambeed.

3
0

Re: Rumsfeld

Didn't 'Yes, Prime minister' get there first?

0
0

Re: Public vs Private

"But there are also unknown unknowns – there are things we do not know we don't know."

I agree: this is possibly the statement that got Rumsfeld the most derision of anything he said. But it should not have: the abuse merely showed the ignorance of his critics on this one point. Nassim Nicholas Taleb's 'black swans' are just a restatement of the same idea.

4
0
Anonymous Coward

Re: Public vs Private

>> Unlikely.

> Why?

for a starter, because the services are delivered by the private sector in both counts and the same "cost saving measures" which lead to public sector breaches are prevalent in the private sector.

0
0
Gold badge
Unhappy

What about the penalities Ministers have *not* enabled in the legislation?

I cannot recall if the last DP Act *could* give the ICO power to prosecute as a *criminal* act (IE the CPS handle it) or to fine staff *directly* but I'm sure there are powers that the relevant Minister (Was it Jezzer Hunt per chance?) did not see fit to allow.

In aircraft design there is a process called a "Flight Readiness Review" for test pilot flying.

The senior engineers sign a document to the effect they have done everything they *know* to confirm the flight is necessary and as safe as possible. If it goes sideways and it turns out they *ignored* certain things, or failed to *fully* investigate requirements they are *personally* liable.

You get the big bucks. You take the big decisions and you take the big jail time. That works for me.

11
0
Gold badge

@ John Smith 19

It's not just at Flight Rediness Review. I signed off designs on a flight control computer, and can always be held accountable if a later review finds a problem. I remember talking to an engineer going through it who was practically having a breakdown about if he should've used higher precision components (finally turned out to be pilot error, but it struck me how on the line I was).

2
0
Big Brother

Re: What about the penalities Ministers have *not* enabled in the legislation?

One thing to watch for in public bodies is that responsibility doesn't always equate with the authority to require action.

For example the DP Officer in a local authority is normally a secondary role to their "Day Job", and they do not have the authority to require a department to do or stop doing something. (i.e. crap data handling procedures) Unlike the "Monitoring Offcer" (usually head of legal), who has the authority to insist on compliance to the law.

1
0

Harsh punishment, but maybe fair

The fine needs to outweigh the cost of stopping the breach occurring in the first place. Correctly retrieving and archiving patient records from an abandoned hospital would be expensive, other trusts can't be allowed to consider its worth risking not dealing with the problem in the first place.

It’s up to the organisations themselves to ensure that the individuals responsible get a proper punishment, if they fail to do that, then they are further failing in their duty of care to their patients. Some organisations (public and private) are far too weak at dealing with reckless/irresponsible behaviour, and it does impact their efficiency. Public bodies should be able to get away with it just because they're providing a public service.

4
0
Anonymous Coward

Re: Harsh punishment, but maybe fair

"The fine needs to outweigh the cost of stopping the breach occurring in the first place. Correctly retrieving and archiving patient records from an abandoned hospital would be expensive, other trusts can't be allowed to consider its worth risking not dealing with the problem in the first place."

Well put and it is the best justification for the CMP programme. Organisations handling personal data have to make risk management decisions and if the punishment for a breach is less than the cost of doing the right thing, taking the punishment is good business.

The problem is that outside the public sector there is an ineffective, erratic, enforcement strategy. If you were a private sector business, there is a good argument to not bother complying with the DPA and then in the event of a breach, you say "sorry guv" and promise to implement some controls at a later date.

4
0
Silver badge

Interesting disincentive to whistleblowers

If someone comes across a data breach at their local hospital, how likely are they to report it if the result is a £500K fine followed by the closure of a ward due to lack of funds?

Full marks to ICO for thinking through the consequences of his decisions.

6
1
Angel

Re: Interesting disincentive to whistleblowers

Speaking as a data protection officer in a hospital who has come across data protection breaches, i can speak for myself when i say i always report them.

Why not just keep schtum i hear you ask? Well for several reasons.

1. If the breach isn't actioned then there's a risk it can happen again and again. If it's identified and actions taken accordingly to mitigate, then less risk of it recurring.

2. It's my job to identify these breaches, report them to various bodies (not just the ICO) and try my best to ensure they don't happen again. If i let each breach slide then I should seriously consider looking for another job. No point in being hired to do a job and then doing the complete opposite.

3. If we don't report a breach and it comes to light during another breach later on then it just looks bad and adds to the ICO incentive to fine us for being 'sneaky'.

4. The ICO don't fine organisations willy nilly. It's not like one breach and you're fined. Of course it's possible to be fined after one breach depending on the severity of the incident but it's very very rare. All the NHS organisations fined since April 2012 have had more than one breach and have failed on the 'learned lessons' of previous incidents and that's why they eventually got fined.

5. The risk of the ICO fining us for breaches is the motivation we need to get every single element of data protection and information security (ISO 27001) implemented. Sad, but true. We all need motivation for the things we do.

5
0
Anonymous Coward

Re: Interesting disincentive to whistleblowers

make it that the fine has to come out of the performance related pay bonuses of the NHS managers and soon every little breach will be reported

I am confident that the PRP pool for brighton will be *much* more than the £325000

or just fire the incompetents and don't give them a glowing reference so that they can just start leaching in another trust (Mid-Staffs - i'm looking at you)

2
0
Thumb Up

Re: Interesting disincentive to whistleblowers

@ Prudo King

I hold a similar position to you at a NHS trust and I agree wholeheartedly with each and every point you make. Those who don't take this position seriously should be sacked asap, sadly this being the NHS we both know that won't happen.

@ non-NHS types out there: there are some of us who take our job and it's responsibilities seriously. Sadly the odd muppets here and there give us all a bad name....

0
0
Anonymous Coward

Public vs. Private

Personally, I think it's right that public bodies should suffer greater penalties than private. At the end of the day, you have a choice over whether you give your information to a private company - in the round there will be a spread, and you, as a citizen, can pick and choose. If data security is a factor in your choice, you can steer clear of a company that has suffered a breach.

With a public body, you have no choice. And in some situations you are obliged BY LAW to hand over your data. It's axiomatic that they should take greater care with your data, and suffer greater penalties when they fail.

3
4
Anonymous Coward

Re: Public vs. Private

"Personally, I think it's right that public bodies should suffer greater penalties than private. At the end of the day, you have a choice over whether you give your information to a private company - in the round there will be a spread, and you, as a citizen, can pick and choose. If data security is a factor in your choice, you can steer clear of a company that has suffered a breach."

This assumes a level of choice which is frequently unavailable.

I need to get a train from Glasgow to London and I am not happy with how the provider protects my personal data, what options do I have? Or I need to get a plane from Liverpool to Belfast, how can I chose the provider which offers greater protection of my personal data?

Added into which, most public sector bodies actually deliver their data handling through private sector organisations just to confuse matters.

3
1
Gold badge
Flame

Re: Public vs. Private

"Personally, I think it's right that public bodies should suffer greater penalties than private. "

Why?

"public bodies" don't loose data. *people* loose data. Either by being *personally* careless, incompetent or stupid or by following *policies* which are lax, carelessly thought out or just plain dumb. IOW thought up by *people* who were being any (and possibly all) of the above.

I agree public bodies *demand* data and proceed to treat it as *their* data.

But blaming "public bodies" is like "computer says no." It's responsibility avoiding BS.

"Managers," "Directors," "COOs," "CEOs" want their big piles of cash. Let them take the weight or defend *themselves* if the poo hits the fan.

6
0
WTF?

Re: Public vs. Private

Actually, when you think about it, it should be the other way around. If I choose to give my data to the private company it is (presumably) because I have been assured by them that they will treat my data properly. They have entered into an explicit contract with me to do so. Then they go and screw it up. *That* is a direct abuse of my contract with them. And we all know that companies are taking the data for explicit commercial gain, rather than (for example) trying to make people better.

2
1
Silver badge

Re: Public vs. Private

> Actually, when you think about it

Well, it's worse with the public outfit. They also have a contract (it's "the law" and stuff) that is imposed (did you sign something? no) on you and you have no particular choice about handing over your data

> And we all know that companies are taking the data for explicit commercial gain, rather than (for example) trying to make people better.

Do you really think that what you say makes any sense at all?

3
3
Holmes

Re: Public vs. Private

>Do you really think that what you say makes any sense at all?

Well actually yes, and I'm going to dignify your answer by assuming you do too.

Firstly: if they're using your data for commercial gain then they (and their shareholders) are benefiting from that - if they misuse or lose data then they should pay a corresponding fine. But in the world of the ICO they don't.

Secondly: institutions like the NHS tend to hold data because they need it for your benefit (directly: you really want them to know what you've been prescribed. Indirectly: it's really useful to you if hospital supply chains work effectively). They aren't doing it to make cash. We need to find a way of helping them handle data properly instead of slapping large and irrelevant fines on them.

Simple question then: can you find a case of a company being on the receiving end of this type of fine from the ICO?

4
0
Silver badge
FAIL

Re: Public vs. Private

Call me crazy, but I don't think it's worse either way.

If the NHS were to lose my medical records, that would be really, really shit.

But would it be any better/worse if BUPA did the same? No, same impact.

Claiming it's worse by Public or Private sector completely misses the point that your data has been lost. Whether you were compelled to hand it over or not is irrelevant to the potential harm. Sure you might be pissed because you feel they shouldn't have had the data, but that's an emotive issue and not a practical one.

To some extent, even the fact that the money comes out of taxpayers pockets doesn't make it that much worse, in that you are in essence a 'customer' of that body. Where do you think the money is coming from when it's a private sector co? Ultimately, the customer. The major difference being that everyone pays in the public case, whereas not everyone will in the private sector.

1
0

This post has been deleted by its author

Anonymous Coward

Re: Public vs. Private

"I need to get a train from Glasgow to London and I am not happy with how the provider protects my personal data, what options do I have?"

At present you have the option to walk up to the booking office, and to pay in cash. A completely anonymous transaction, apart from the facial recognition cameras watching your every move from entering the station at Glasgow until you reach your destination in London.

I don't have the option of anonymity when using public "services", and now that Mr Slippery Cameron has announced that the world and his wife can all look at my NHS record, I am finding it very difficult to sign up with a private GP; they are a very rare breed. So while the use of state "services" is effectively compulsory, they can damn well look after the information that I am compelled to give to them.

0
1
Black Helicopters

I wonder if

The ICO execs are on some sort of performance related pay deal wih big bonuses for gaining large income from fines?

And I wonder if public sector companies are less likley to go to the lawyers if fines something ridiculous?

No, I'm too cynical: obviously such conflicts of interest wouldn't exist...

2
0
Silver badge
Facepalm

bah

In response a spokesperson for the ICO told Out-Law.com that NHS bodies can avoid wasting public money by better protecting personal data.

But here's the problem. They have crappy security because they hire the cheapest option.

They hire the cheapest option because they don't have it in the budget to do it correctly without cutting patient care

They then get fined for losing data

Patient care suffers anyway because they just lost what little budget they had.

And the solution is to tell them to pay for better security, which they had to skimp on because of the lack of budget and the fines... Right.

It's the same as the whole 'not enough doctors' BS.

Cut back funding for wages because it costs too much to hire doctors

Emergencies come up, they need to hire in doctors as contractors

These doctors cost more per hour than a full time doc would in a week.

They suddenly have no more money to hire doctors fulltime, so they fire more, and hire more contractors.

I swear to god, Allah, Buddah and John Lennon, these people are idiots. They see a set figure and go "yeah that's good thats within budget" and then multiply that budget by 10 to hire contractors or in fines, when they could just double the budget and have none of these problems.

12
1
Anonymous Coward

Re: bah

@wowfood - I wish I could upvote your post more than once!

(with the slight exception that contractors work out a lot cheaper than permanent employees if the need is only temporary, if you have a bit of work that needs an extra doctor for 9 months, bringing in a permanent doctor then, when the requirement is over, having to find new things for them to do is significantly more expensive than getting someone you dont need to train, pay sick pay / holiday etc).

0
0
Silver badge
Holmes

Re: bah

It's also a nice illustration of what is called the economic calculation problem in a socialistic outfit. You don't know how much anyone would pay for your service. You don't know what service to provide. You don't know how much to invest where. You don't know your pay levels. You can, however, demand more money from the taxpayer by wailing enough.

In a rational economic actor, what would happen is that there would be an evaluation of whether to invest in business re-engineering for more data protection [which means shifting resources away from what people pay for in the first place] or whether to incur the risk of being fined by ICO if case SHTF [which means shifting resources away from what people pay for in the first place]. Assign a price to each eventuality. Take the cheapest.

1
1

Re: bah

@Wowfood

"They have crappy security because they hire the cheapest option."

Nope: Cheapest != crappy when the required standard is higher than private sector might consider. Take encryption: All NHS laptops have to be encrypted. Not to some noddy standard, but to military standard. Special licenses were required, and the cost was anything but 'cheap', even for the 'cheapest'.

"Cut back funding for wages because it costs too much to hire doctors"

Then find the doctors you can get are juniors as they move to private practice the moment they've enough experience. Or they move abroad. This really is the reason why we don't have enough Doctors and Nurses, by the way: They qualify, get the experience, then head out of country because they're being offered serious money to work elsewhere. Or they go private as they can earn a hell of a lot more there than in the NHS. Even the bad doctors/consultants can do this...

The reason why so many doctors are hired in under contract is we can't retain enough of them to cover for when we have sickness and holidays (and training and jollies to some conference... or they're called up to work in a field hospital or they're retiring early due to ill health or they've just left and the trust is searching for a replacement...)

The biggest bull in the story, by the way, is that hospitals don't have money in a pot to spend on patient care. Sorry, that simply doesn't exist and hasn't for a long time. The reality is the hospital treats the patient *At Loss* then bills the relevant GP for the money. This is why a GP can refuse to refer you to the hospital: It's money out of their pot that's spent to treat you. So in reality, hospitals need to do MORE work to draw in the money to pay the fines AND/OR they need to work more efficiently. The only reasons why wards/departments are reduced or shut down is because a) they are inefficient and so waste money or b) because the government requires the closure or c) because the PCT's/GP's aren't paying for that work any more.

0
0
Thumb Up

Re: bah

@ wowfood

It's like you invaded my brain and wrote down my thoughts exactly....

0
0
Anonymous Coward

National standards and procedures for handling data are needed. With audits to ensure compliance.

1
0
Silver badge
Thumb Down

You want standards? There are truckloads. Who is going to implement them? How many years will it take? How many contractors do you need? Take them from EDS? PwC? Repeat every year or every two years? Train existing personnel for two weeks ... need more personnel etc. etc. etc.

The economic calculations are NOT trivial.

0
1

@AC 08:51

These exist. Standards, procedures, audits to ensure compliance and spot checks to ensure no one is lying.

Still doesn't stop someone deciding they are the exception to all those rules.

0
0
Mushroom

I am also staggered by the difference in treatment between public and private sector offenders. Google, Phorm, etc can offend with impunity, but the NHS seems to ab a favourite revenue stream for the ICO.

I guess its better to starve the plebs of healthcare than risk the future (post governmental) career of politicians by fining companies like that mega amounts. After all whats a few more months waiting in agony on a prolonged waiting list (due to finances being tight because of an ICO fine?

The ICO like OFCOM is not fir for purpose and needs replacement with a proper even handed regime that considers the needs of the public as well as the needs of business.

5
0

alternatively...

Or it could be that losing medical records is considered to be a more serious breach compared to Google's Street View wi-fi slurping and so on. As such, there will always appear to be a bias towards hitting the public sector with fines, as the overwhelming majority of health care provision in the UK is public sector.

2
0

@Da Weezil

The ICO think that making examples of public sector offenders will show they're doing their job. And that private sector offenders will take note and behave. Bit naive, really.

As to prolonged waiting lists - no. Hospitals get paid *after* the treatment, so they need to do more treatments to get the money in to pay the fine. Finances being tight are due to cutbacks in tariffs or disputes over what treatment was delivered, or the new favorite: Re-admissions (hospitals don't get paid for treatments if you're re-admitted within so many days from discharge, even if it turns out there's nothing wrong with you). Delays are generally down to bed blocking or wards closing due to infection.

0
0
Anonymous Coward

Change the Public Sector attitude first, then the system.

For far too long the attitude of individuals within the Public Sector has been one of being bulletproof. The tribunals, the appeals process, it takes forever, costs a fortune, and very often ends up in a large payout with final salary pension intact.

We need a public equivalent of corporate manslaughter, that stops individuals hiding behind the public sector machine and makes them responsible. The sloping shoulders within Government need to stop.

3
0
Anonymous Coward

Re: Change the Public Sector attitude first, then the system.

One small point: Final salary pensions were got rid of in the NHS years ago..... As for the rest, can't disagree really....

0
0
Silver badge
Flame

A lesson in pointless spending...

"The fine needs to outweigh the cost of stopping the breach occurring in the first place. Correctly retrieving and archiving patient records from an abandoned hospital would be expensive, other trusts can't be allowed to consider its worth risking not dealing with the problem in the first place."

NOBODY seems to have grasped the essential issue here.

Private companies have income and costs. Income minus costs and fines equal profit. The people running the company share the profit. So they have a fundamental interest in not having high costs or fines.

Public servants are paid a fixed sum by government from taxpayers. The only way they get a bigger sum is if they are 'more senior' - in other words, in charge of a bigger organisation. So they all have a fundamental interest in increasing the size of their organisation. There are several ways to do this, but one obvious way is to use more people to do the same job - in other words NOT to be efficient.

One way not to be efficient is to make mistakes and then argue for more people and budget to correct them. Fines are irrelevant so long at the people continue to be paid at the same rate. In fact, fines are rather good, since they will simply be EXTRA money paid into the system from taxpayers - meaning more money for civil servants...

5
0
Flame

Accountants taken over the asylum

This problem occurs over and over because society/guvmint has decided that regulatory bodies work by fining organisations for breaches. Everything is reduced to the financial. So you get schools fined money for failing to do something that the guvmint demanded because the guvmint didn't give them the money to do that thing; hospitals fined ...ditto... Utility companies fined, does it come out of the Board's bonuses? No, it goes on our bills. Train companies fined for lack of punctuality.... Your local Council fined for not cleaning up some fly-tipping soon enough, or failing to recycle >50% of waste...

Where do the fines go? To fund the regulator? Thus giving the regulator a perverse incentive to find fault. They get their own metrics to get so many convictions... like the Police's perverse incentives, and Environmental Health, and Trading Standards, to get so many convictions - their goal should be no crime, so no need for convictions; similarly the regulators' goals should be no breaches, so no fines.

Maybe a solution might be to give the executives of non-company bodies (schools, hospitals, council) similar status to those of companies; at least some personal responsibility, with the possibility of the regulator sacking them, banning them from holding such office in future, or a pay-cut and no bonus... (which then sadly leads to the tribunal about their contract - need law that says the regulator overrides and that's that....)

1
0
Bronze badge
Angel

Simples

All these large public institutions should have money pool for wages of upper management. If, by law, any penalties are paid from this pool only, that would solve the problem.

2
0
Anonymous Coward

Re: Simples

Except when they try and unload a rubbish manager and employ a better one, they find they can't afford to offer the proper salary.

0
1

Page:

This topic is closed for new posts.