Feeds

back to article UK.gov fines itself harshly for hurling NHS records to the winds

A defunct NHS board has been posthumously fined £200,000 after thousands of patients' records were found on a second-hand computer sold on eBay. The Information Commissioner's Office (ICO) slapped NHS Surrey with the fine because they failed to ensure that 3,000 records were wiped off a computer before it was flogged. A member …

COMMENTS

This topic is closed for new posts.
Gold badge
WTF?

Another victory for bean couters.

ICO.

Name the f**king company so people can know a)Who does cheap deals b)Who will pimp out your data to anyone they can. Otherwise this is an accounting excercise. And you can bet NHS England will lawyer up and spend another few £100k fighting this case.

Actions without consequences --> BAU.

Of course as a public body isn't the ICO subject to FOI requests?

ElReg would you care to name the outfit?

13
0
Silver badge

Re: Another victory for bean couters.

Agreed. Who are these useless pricks that couldn't even carry out the most basic of tasks when taking in used PCs for resale?

3
0
Anonymous Coward

Re: Another victory for bean couters.

Why name it? The NHS had no contract with it requiring destruction, who's to say what the actual deal was or where agreed responsibilities lay?

Why should this firm pay for the manifest failings of NHS management?

Never fear through, the NHS managers who caused the problem probably got a tasty promotion.

1
2
Silver badge
Thumb Down

Security Firm? Really?

We expect public bodies to screw up in this area, and NHS Surrey sure are responsible, but security firms and particularly data destruction firms make a good living out of taking on this responsibility for those that don't have the skills themselves.

So what firm was this? Trotters Independent Traders?

2
0
Silver badge

Numpties.

EOF

1
0
Silver badge

What a waste of time and money!

It's ridiculous fining public bodies vast sums (or small sums) - the contracts of the staff should be modified (if necessary) so that the individuals ultimately responsible - the managers/board members, not the minion - can be fined a smaller (but appropriate) amount (i.e. a percentage of salary or similar), rather than fining the body itself which hurts no-one but the users of the service.

8
0
Bronze badge
Thumb Down

2 classic fails

'NHS Surrey chose to leave an approved provider........'

'the health board did not sign a contract with the firm which clearly explained its legal requirements under the Data Protection Act.'

Looks like there was a dislocation of the Head of IT and Finance/Contracts body that went unattended and ended in a terminal condition.

1
0
Gold badge

Consequencies?

Now in a ruling vs a private company, you could assume that the board/shareholders would be pissed at having to pay a fine and would internally "punish" those responsible*

However, it this case, what happens? Do those responsible receive anything at all? It is time that the act makes people directly responsible for the actions (and in the case where those people have so much money that fines are not important to them, lock them up!)

*OK in the real world, there are probably some boards where they are more than happy to pay the fine, knowing that it was cheaper than doing things right in the first case (In which case I again recommend locking them up).

9
0

Re: Consequencies?

there won't be any consequences for the individuals concerned, will there though .. there never are. When was the last time that a govt department / local council actually named the individual(s) responsible and made them pay the fines themselves?

You're right, it's about time the people who accept the salaries for the jobs also accept the responsibilities, and face consequences when they do not, and are not allowed to use public funds to pay fines.

In other news, Southeastern have managed an entire week with every single train on time, and a squadron of flying pigs has been spotted.

3
0
Anonymous Coward

Re: Consequencies?

"When was the last time that a govt department / local council actually named the individual(s) responsible and made them pay the fines themselves?"

No need to do that, you do what a private company would do; sack them for being grossly incompetent.

And as this is a government agency, you ban them for ever holding a government office again or working on a government contract.

As for trains being on time; easy. Pad the timetables so the starts and ends of the journey match reality and do not count late/missed stations in between. And yes, this is exactly how they lie to you.

2
0
Silver badge

Re: Consequencies?

NHS Trusts have boards of governors, who have quite strong powers if they choose to use them. Why don't they demand a full accounting, and put forward motions for real action?

0
0
Silver badge

Sperate dealings

Tha hard disks should be removed from the comptuers "before" the computers they leave the hospital.

These disks should then be handled by "validated" security firms that are capable of destroying/wiping the disks correctly.

This is a failure on behalf of the NHS management: in this day and age any manager above a certain level definately should have enough savvy to know the risks involved and the appropriate measures that should be taken. If he does not then he is obviously in the wrong position.

You do not have to be a IT expert to know that confidential data is confidential data.

4
0

Re: Sperate dealings

I agree totally. Every staff member should be signed up to the data protection policies, and (if the organisation is any good) receive training on data security. And breaches of such policies necessitate enforcement and if necessary termination of contract.

You DO NOT entrust hard disks with sensitive data to unknown resellers! You especially don't do it coz it's cheap or free! And you don't then mislay the records of the transactions!

When people talk about "failure of management", it sounds like someone just slipped up. In this case it was a systematic failure, and probably was driven by cost-cutting pressures from above. It in no way exonerates the senior management.

0
0
Mushroom

Hypothetically speaking

I'm a public sector organisation, with 10000 desktops to retire and replace. Each PC has a hard disk of between 250-750 GB. How long will it take me to securely erase that many hard disks using the Guttman method? And then independently verify that the hard disks were wiped effectively?

What's the solution? As someone who used to work in ISO compliant quality inspection, with high volumes there is an unavoidable small failure rate. 100% compliance is a physical impossibility, human error can never be ruled out, and managers are always pushing deadlines forward, reducing budgets and expecting the impossible. Making a single person liable doesn't introduce accountability, it just ensures that the job position goes unfilled. You want to put me in jail if I make a mistake, either add a few 0's onto the end of that salary, or find someone else.

1
8
Bronze badge
FAIL

Hypothetically answering

The real problem is that there is no real pain associated with governance failure, caused not least by the dilution of the term "professional"

Professionals used to be people to whom you could transfer risk (for money, natch) and they would take responsibility for doing what was supposed to happen on pain of serious consequences if they screwed up.

Now we're all "professional" because we've got a stack of qualifications and we want the money for being "professional" without taking the responsibility for outcomes.

This is true everywhere but in the public sector it's worse because there appears to be no darwinian mechanisms equivalent to going out of business

9
0
Silver badge

Re: Hypothetically speaking

"How long will it take me to securely erase that many hard disks"

Screwdriver & a 10 gauge shotgun ... Probably about 80 hours.

Plasma cutter is over-kill in such situations ...

HTH, HAND.

0
1
WTF?

Re: Hypothetically speaking

You don't...you destroy them.

When replaced you get a machine with some level of disk/physical encryption.

Classic - "but it's hard" public sector answer... It's not hard, and considering the massive overspend on IT across Government money is not even the problem, it just requires compedency and effort.

4
0
Boffin

Re: Hypothetically speaking

Your options

1/you sign a contract with a suitably accredited firm that takes responsibility for disposal and indemnifies you against such fines. You then ask for a quarterly report of wiping and compare with your disposal list.

2/ You wipe them yourself before going off site, will probably take 30 - 60 seconds labour per computer if you have it set up properly. Nothing goes off site unless it has a signed sticker on it saying it has been wiped and attach a copy of the wiping report. do random inspections.

3/ you ask your mate to dispose of everything on eBay without wiping them and feign ignorance when he gets caught. Get your Trust to pay the fine.

2
0

Re: Hypothetically speaking

You don't get sent to prison if you do your best to manage it, only if you are criminally negligent.

1
0
Silver badge

Re: Hypothetically speaking

"How long will it take me to securely erase that many hard disks using the Guttman method?"

Even Guttman would say that this is irrelevant (used to be here: www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html but it's not loading today). One or two passes of random overwriting would be fine. Of course it would take you far too long to extract the disks, load them into DBAN stations and queue them all through sequentially.

So - don't do it! Before unplugging a desktop from the power and the network to cart off to the store room, boot from a DBAN USB stick and leave it chugging on the desktop. The machines should be wiped before they even leave the users desks.

4
0

Re: Hypothetically speaking

Wasn't the guttman method superseded around 2003 with the "Secure Erase Standard" ?

Anyhow...

Erasing the drives would be a superfluous process IF the confidential data had been encrypted.

<caveat>Of course there's always some silly sod who keeps passwords in text file on the desktop.

However as most commercial software 'phones home' at boot-up checking for Key validity or updates then bricking the decryption packages on mass should be a simple & speedy affair.

0
0
Anonymous Coward

Re: Hypothetically speaking

How long will it take me to securely erase that many hard disks using the Guttman method? And then independently verify that the hard disks were wiped effectively?

For any value of "effectively" there is the Bad Sector trick: if you can convince the firmware to map 80% of the drive as bad sectors it won't touch those areas again, not even for a wipe (one of those little neat gotchas).

The only way to do it right is physical destruction, and there are plenty options available for that, usually involving fun bits of hydraulics or metal shredders (although I'm wondering if lining them up somewhere with a nice bit of thermite wouldn't be more fun, sorry, wandering off into wishful thinking)...

1
0
Bronze badge

Re: Hypothetically speaking

Hypothetically - it depends on the data.

Why over write? You could remove and deguass or remove and shred the hard drive(s) - all by an accredited company with each disposal signed off by them, putting the onus on them. The remaining parts sold on.

Or if they just need to be 'Blancco'd' - the contratc by the accredited company should specify - and again each disposal signed off by them.

Not too difficult really.

1
0
Silver badge

Re: Hypothetically speaking

"100% compliance is a physical impossibility, human error can never be ruled out, and managers are always pushing deadlines forward, reducing budgets and expecting the impossible. "

All very well and good. But I think you'd find that if those responsible for the errors - AND the managers responsible for "expecting the impossible" - were PERSONALLY singled out and punished, compliance would get a lot closer to 100%, and human error would decrease markedly.

1
0
Silver badge

Re: Hypothetically speaking

Shit happens, true. And as long as contracts have been signed, correct (i.e. vetted) procedures put in place, training given and procedures followed; if something goes wrong you simply have to shrug, call it "systemic" and try to fix the weak point.

But that's not this case is it? The NHS managers failed (no contract for a start!) and faced no comeback. Zero. None. Nada. Zip.

1
0
Bronze badge
Thumb Down

Re: Hypothetically speaking

@ Aqua Marina

Is this a serious post?

How long ago did you work in ISO comp QA?

you're trying to DESTROY data, with no margin for error.

typically the corporate beige things being discarded have tiny HDDs, and even if they don't HDD cost is marginal.

What you do is shred the bleeders.

It's quite similar to a tree chipping machine, you throw anything in, full desktop, laptop or just the hard drives and something akin to sand or fine pebbles comes out the other end,

Destroying the data is MORE IMPORTANT than the HDD being included to the guys re-claiming the stuff.

The "recycling company" are then free to flip them on ebay (as seems to be standard practice apparently) or donate them to charity (getting more common).

Responsibly dispose of nearly-vapourised hard drives. Done. The very fact they used any process at all that even HAS a margin for error means they (both parties) weren't doing it properly. This wasn't "error" at all.

I couldn't give you a rate of data destruction, simply tell you it was both very quick (and amazing fun) watching the machine eat them by the bucket full.

That is how you guarantee you've destroyed the data.

1
0

Re: Hypothetically speaking

What's the solution? VDI.

0
0
Bronze badge

Re: you're trying to DESTROY data, with no margin for error.

Actually you're not. You're trying to ensure that you are following the best practise procedures with sufficient paper trail for audit purposes so that, when the inevitable fuckup happens, you can show the powers that be that your organisation (and, specifically, you) are Not At Fault.

Once we get that certificate from the expensive secure disk destructo-bods saying this disk has been (lies. They mean it will be) subject to secure disk destructo then secure disk destructo-bods can take the contents and spray it all over WikiLeaks if they wish and we're safe from the ICO.

Information Governance is about reducing the potential for leaks and ensuring that, when some data inevitably slips through the cracks, your arse is covered.

It should be said that, it seems, NHS Surrey did neither, heard the word "Free" and then probably moaned at the bloke who set up the original, approved solution, for wasting money.

Now, to us geeks that's distasteful politics and we know the only good retired disk is one that's been verifiably smashed into powder, preferably by us with our own disk smashing equipment whilst drinking whisky and exclaiming to the obsolete hardware that you knew you'd win in the end.

In reality a note from another company promising to do it for you is the best we're likely to be offered by the beancounters.

2
0
Anonymous Coward

Re: you're trying to DESTROY data, with no margin for error.

NHS Surrey was criminally negligent. You are required to comply with NHS SyOp 7.13 for the destruction of data, and they didn't do it.

IIRC, SyOp 7.13 states that data should be destroyed on site under the presence of a member of your staff <U>before</U>!!! allowing the removal of the equipment from the site.

Whomever was responsible for this should be fired at the least. Sadly in the world of the NHS they might get put on an improvement plan...

I was careful to the point of paranoia managing the destruction of IT equipment. We degaussed the drives with to 4 times the required destruction standards, then had them physically destroyed on site by a contractor under observation by our own staff and we then allowed the remains of the drives off site to be melted down. I can state categorically that not a single drive that left my site had any recoverable data on it.

And we didn't pay anything for this, because the company involved calculated that 2k hard drives was worth their effort to come to site and destroy and collect the drives because of the payoff from the amount of precious metals in that many HDD's.

There is no excuse FFS!

2
0

Why was it not encrypted to start with?

The truly staggering lack of any decent IT across the Government spectrum of departments is just no surprise anymore.

The first question to really ask is .....why was the data on the drive not encrypted to start with?

Problem is we all know the answer. Despite that we (taxpayers) pay about 40 times the cost for state run IT than a private company would, and we get zero value for it.

From my personal experience having to deal with Government IT, +their contractors, the compedence level and skill set is so astondingly low for internal staff, with the contractors often not a lot higher, plus there is little incentive to finish a project ontime or on cost on either side. Internal don't get fired, contractors want longer contracts...

Very brokennnn

1
0

I know it's only a guideline but that ICO doc is full of "should"s rather than "must". There is a vast difference between what you should do and what you must do: it is easy to comply with most of those guidelines by doing sod-all. In the past I've had the "should", "shall", "will" and "must" discussion with a contract lawyer (the strongest is "must") because I've seen this kind of thing before.

1
0
Silver badge

That's why those things are called guidelines, which in the public sector can usually be translated as 'proof we issue best practice proclamations however, enforcing those regulations falls outside our remit'. Most public sector guidelines are written by legal to be as vague as possible and still make sure there is zero accountability.

If government put as much work into doing things properly as they do into dodging responsibility then things would be a lot better for everyone.

0
0
Silver badge

And who pays the fine???

Yes, as usual: the taxpayer. In other words, no one is punished at all. They just shuffle some taxpayers' money from one pot into another.

0
0
Anonymous Coward

Name the company? Yes! But name & shame the NHS decision makers too!

"But the health board did not sign a contract with the firm which clearly explained its legal requirements under the Data Protection Act. The board also "failed to observe and monitor the data destruction process"

So name and shame the board. The buck ultimately stops with them... This was a problem of oversight. But the main problem as always is- no one ever gets fired for incompetence in Government (well hardly ever)! We need to know who the key NHS decision makers were....

If they're still working in the NHS they should be forced to resign or fired for incompetence. A message has to be sent. This same shit happens every single day... Yet here we are sleep walking to a privacy time-bomb.....

0
0

This is the LEAST of your worries

I know for a fact that one major surrey hospital mis-filled heart testing results for one patient in another patient's medical records.

Fortunately the over worked junior doctor was awake enough to realise the results did not relate to the patient he was dealing with, and the actual patient was fortunate that she did not need a follow up from that test.

Word from retired staff at that hosipital is that given the trollies of unfilled patient records floating around, this is the tip of the ice berg.

The ICO needs to remove the fence post from it's rear and get out there and INVESTIGATE!, they are a F**ck@$g law enforcement body

0
0
JDX
Gold badge

Even managed to lose records showing how many records were lost

A Douglas Adams-esque piece of foolishness (see Mostly Harmless & the Grebulons).

0
0
Silver badge

What the sub-editor should have said...

UK.gov fines itself harshly for hurling NHS records to the winds

becomes

UK.gov fines patients (as taxpayers) harshly for hurling taxpayers (as NHS patients) records to the winds

There, fixed that for you...

0
0
Megaphone

Education required

The guidelines provided by the ICO, as well as from other regulatory bodies, are ambiguous and offer no leadership or advice to the IT asset manager. The statement from the ICO slating selection of free recyclers without any other vetting is the first real indication of the ICO's view on the ITAD sector.

Data Eradication is a massive, specialist industry. It has a cost as you would expect. So when someone comes along saying "hey we will do this for free" surely alarm bells should be ringing???

ADISA (Asset Disposal and Security Alliance) is a DIPCOG recognised body and can provide details of an accredited ITAD local to your business. There are approximately 30 accredited members, in the UK you will find almost 700 non accredited ITADs. The UK government recognise the ADISA standard and ADISA uis being rolled out internationally. If your preferred ITAD is not on the ADISA approved list then ask yourself why. At the very least carry out your own audit of your IT recycler.

0
0
This topic is closed for new posts.