A spreadsheet?
Oh, FFS.
An email sent by the NHS advice service mistakenly disclosed personal information about patients, although it did not leave the health service. The organisation's annual report for 2008-09 reveals that the information, including the names, addresses, NHS numbers, dates of birth and clinical data of about 100 patients, was …
Quote: "NHS Direct takes data protection very seriously and we regularly review our processes and train our staff in order to ensure that we fulfil our responsibilities in this area." That's a lie. Proof:
"... this happened when a spreadsheet was emailed to three people in error."
a) "spreadsheet" + "emailed": FAIL.
b) "spreadsheet" + "emailed" + "to three people": Catastrophic FAIL.
c) "emailed" + "in error": Final, irrevocable proof that they...
- do NOT train their staff in any meaningful way
- do NOT take data protection seriously
- do NOT fulfill their responsibilities in this area.
End result: Complete, utter, FAIL.
Hardly a major failure. The information didn't leave the NHS so everyone who saw it would already be bound by patient confidentiality rules. Every company I've ever worked for has used spreadsheets for emailing information, at least the NHS is acting responsibly by holding its hands up and admitting it.
-- "The information didn't leave the NHS"
This isn't guaranteed. The spreadsheet was emailed to "another part of the health service" - depending on their definitions, it's entirely possible that the email in question travelled over the Internet, and could therefore have been intercepted at any one of a number of points along the way...
In this case you are probably correct, as the sender and recipient would almost certainly have been using NHS mail which is secure end-to-end between nhs mail addresses [@nhs.net].
However, the principle doesn't hold generally, as [unlike social services and MoD] there are many parts of the nhs that use @nhs.uk addresses, which are not secure outwith their own organisation, and so are inappropriate for sending patient data to other domains [including other @nhs.uk and @nhs.net adressees], as this traffic would be routed over the internet.
William.