The data protection watchdog has issued a reminder to GP practices about the importance of keeping patient information secure in the wake of a reported data breach at the London hospital where the Princess of Wales was treated.
The Information Commissioner’s Office (ICO) is warning all healthcare organisations that ‘people need to trust that their medical information is safe and only available to authorised employees’.
Although this has been prompted by the ICO receiving a report of a data breach at the London Clinic earlier this month, which is it is now assessing, the watchdog said its own data shows there are more than 1,500 incidents reported by the health sector every year.
It has urged practices and healthcare organisations to follow a three-point plan for handling highly sensitive patient data responsibly (see box below).
Stephen Bonner, deputy commissioner for regulatory supervision at the ICO, said it is aware that people may now be questioning how safe and secure their medical records are following reports of a data breach at the London Clinic.
Media reports have revealed that this breach centres around claims staff attempted to access Kate Middleton’s private medical records when she was being treated at the hospital in January.
Mr Bonner said: ‘When we’re in the care of healthcare providers, we need to be able to freely share our personal and sensitive data – it’s often essential to ensure we receive the care and support we need. As new technologies come into use in our healthcare system, our data will become even more important.
‘This underlines the need to ensure this information is treated with the utmost care and security. Every patient, no matter who they are, has the right to privacy,’ he added.
In the last year, the ICO said it has taken enforcement action against several healthcare organisations, including NHS Fife after an unauthorised person was able to enter a ward and access the personal information of 14 patients.
Handling patient data responsibly
The ICO has said practices and healthcare organisations should ensure:
- Staff are thoroughly trained. Organisations should have data protection training in place that is role-specific, tailored and relevant to the tasks being completed. Staff should feel confident in handling people’s personal information safely and securely. It must be clear to staff about what records they are allowed to access.
- Appropriate technical measures are in place. Passwords and access controls should be in place to ensure personal information can only be seen by people who need to use it.
- Staff are clear on the data breach reporting proces. An organisation must report misuse of personal data to the ICO if there is a risk to people’s rights and freedoms, which is often the case with sensitive medical information. This must be reported within 72 hours of becoming aware of the breach. More information on breach reporting here.
