25k headline, 225k story.
sort it out!
(it's 225k, in case you change the wrong one)
Belfast Health and Social Care Trust has been fined £225,000 by the Information Commissioner's Office for leaving patient and staff files in an abandoned hospital. The Belfast Trust became the latest NHS body to feel the wrath of the ICO after it left 100,000 patient records and 15,000 staff records in boxes, cabinets, on the …
Nah, fining the organisation is just stupid. All that does is move money from one Gummint pocket to another.
Instead you fine the people responsible. Start with the numpty whose act of commission or omission actually caused the leak and include the entire managerial chain from his boss to the CEO on the grounds that all failed to adequately supervise their immediate staff member. Hit them all with a fine of the same %age of salary so all get the message with equal emphasis. For fairness, also make it a rule that if anybody gets fired over the data loss, they all do.
A few years ago I used to be into Urbex. I found records left in four hospitals I visited - St Georges at Stafford, Denbigh, Blackburn Royal and Withington, Manchester. The first two were asylums and featured details on sectioned patients, the latter two were normal hospitals.
None of the hospitals were secured, it was just simple walk-in access from the road and the records were just left in rooms.
I used to occasionally go to Withington hospital as a patient, and another time I was visiting someone at the old Booth Hall childrens' hospital when I got a bit lost and ended up in a mostly abandoned building rather than the ward I was looking for. District hospitals like this are generally massive sites and it's very easy to lose paper files or end up somewhere you weren't expecting even if it's somewhere you know very well. There are also so many layers of bureaucracy that it can be easy to get confused between who's responsible for records while a patient has been admitted and who's responsible for moving archives between sites.
I agree that fining NHS trusts isn't the right way to deal with this kind of thing. The Caldicott report made a number of recommendations about patient records and confidentiality so that would be a good place to start. It suggests that a fairly senior person should be responsible for maintaining confidentiality. Personally I'd say that person should be the chief executive of the trust. They could delegate actually implementing things, but if something happened like a room full of forgotten records turning up when a building was being prepared for demolition, they would be personally responsible for explaining why they didn't carry out final checks as well as paying any fines out of their salary or facing sanctions for misconduct or negligence. It would certainly make them a bit more careful.
Cue two groups of anonymous people.
Group A saying "we would never do this"
Group B saying "we do".
The managers responsible for the biggest foul ups tend to stick in a job for little over two years then move on.
Year one, they sit and watch what is happening.
Year two, they come out with their CV padding ideas then move on.
The idea works OK in year 3 but starts to go wrong somewhere during year 4 and by year 5 is a serious problem but nobody knows where the guilty suit is now as they have moved on yet again.
The ICO lands another hefty fine on a public service organisation, presumably taking money away from front line service and back to the treasury.
Yet all the while, if a private company whom commits a data offense, the ICO's stance is softly softly, work with them to help them follow the guidlines and a token pocket change fine if we're lucky.
It's about time the NHS learned to deploy the "actions of a single rogue employee" defence which get's you completely off the hook, or at least it does for a private company.
So I implore all El Reg readers here, follow the pattern of how the ICO exercises it's powers against public sector vs private and you'll see this is true.
All the while the ICO is still considering its position of Google's national WiFi slurp data rape. They failed to investigate, took Google's word for it at every stage, and then only thanks to the US FCC actually knowing how to investigate something, the ICO are left looking more weak and incompetent than words can justify.
If you look through all the monetary fines they are for failure to protect individuals data.
Google has not disclosed any individuals data. What Google did was slurp data that people transmitted unencrypted for anybody to read. Had Google attempted to decrypt or obtain the private keys then it would have broken many laws. There is little difference between what Google did and a stranger reading a note you pin to your front door.
There are many open source (and 100% legal) tools you can install on your laptap and then drive around and slurp exactly the same type of data Google did.
What about a world where "the data" didn't exist in the first place?
Where Doctors don't keep a giant freaking library, they operate out of a small place, where people come in don't need an ID, or money. The only real need for a prescription being so people don't overdose from not being informed. The doctors get paid by people who CAN pay, by local business where it's voluntarily in the business's interest to keep people healthy, so they come back, do more business, or voluntarily in a city's interest to keep the public healthy so the voluntarily business's stay put. Obviously the doctor can't give drugs out free forever so it would be on the one needing it first, then down the line, logical places, not destroying lives being fair. You can even BUY insurance in this world, if you can trust someone to sell it to you. A lot of other things have to be fixed for this world.
OR
How about a world where there are men from government agencies carrying automatic weapons and heavy military equip, showing up at the local CVS pharmacy, or hospital pharmacy, carrying out boxes of a smashed up building, and handcuffed doctors, pharmacists, patients and all manner of mayhem when you are back for a re-fill, or zone law exploits to raid medical cannabis dispensary co-op's .