Tag Archives: NHS

Data Protection and Temporary Workers – the Perfect Data Breach Storm?

This morning bought Security News stories from around the globe as usual. One jumped out at me, not because it was unusual but because the wording highlighted to me some dangerous assumptions and errors in thinking that we are guilty of.

advent IM data protection blog

oops there goes the sensitive data. Image courtesy of freedigitalphotos.net

The story was about a temporary worker at a hospital who had sent letters which contained highly sensitive childrens data, to the wrong addresses. Apparently the temporary workers who had made this series of errors had not received any DP training. The story explained that the ICO had given a warning that  “even temporary staff should have Data Protection Training”

Bear with me. Last year another breach occurred in a hospital when a temp worked downloaded a large batch of patient data onto a data stick and took it home to work on. Apparently on this occasion it was assumed that Data Protection training had been done by someone else.

Firstly, assuming someone has had training in something is always dangerous. Surely if you are going to allow temporary workers access to such sensitive data it is a must have.  Secondly, is it appropriate for a temporary worker to have that access? Obviously this will vary by incident or role.

Its not just the NHS, businesses make this mistake too. I have seen temporary workers who have had no vetting, logged into networks by well meaning employees on their own login credentials. There they have been able to access any sensitive data they wished and the trusting employee has handed over that organisation’s data to someone who may well damage, steal or sell it.

Back to my original point, to say that ‘even’ temporary workers should have Data Protection training seems a bit like looking the wrong way down a telescope. Surely we should be saying temporary workers especially need Data Protection training?

By popular demand…

Our NHS CCTV Awareness training day is back!

For all users and viewers of CCTV images in the NHS regardless of role, the ccourse is deisgned to keep NHS trusts on the right side of the Data Protection Act and ICO guidelines.

November 20th is the date for the training centre but if you have a larger group and would prefer us to come to you, we can arrange it for you.

You can get details of the course, prices  and a booking form here… 

“This was a really informative day. Lots of questions answered. I wish we had had this training when the CCTV was first installed.” – recent delegate from Cornwall Foundation Trust

ICO Fine of the NHS Trust – Who Owns the Risk?

If you have an NHS card, receive NHS treatment and have ever been to hospital, raise your hand…either a lot of us all want to leave the room at the same time, or this particular kind of breach can affect pretty much everyone from the UK.

From the ICO website:

“NHS Hospital Trust  receives a Civil Monetary Penalty (CMP) for serious data breach.

Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) said today.

The fine is the highest issued by the ICO since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.”

You can read the full piece here.

Discussion of this penalty in various places online, has raised a variety of questions and opinions. Some people feeling, even within the Data Protection community, that this was ‘too harsh’ (source: Linkedin European Data Protection Forum discussion) Others, with a due sense of subject fatigue, feeling that not only was it right but that it is a bit more like the kind of penalty the ICO needs to be handing out and not just to the public sector either.

Looking at this particular breach and reading the arguments that the penalty was too high makes me wonder if people understand the risk scenario. The task of destroying these hard drives was out-sourced. They were still owned by the trust and they were still guardians of this data.

It looks like a failure of Risk Management that this occurred and one would question if proper due diligence was performed on the contractor tasked with this. A decent Risk Assessment would have suggested that they either sanitise the data prior to disposal or procure an on-site disposal service – the supplier of which should have been sourced from a reputable list like SEAP. I guess you get what you pay for.

The bottom line is the buck stops with the Trust, they were guardians of this data. They out-sourced the task not the risk or accountability. If the Chief Executive is the SIRO, which they should be, should they be made personally accountable for incidents like this? CESG guidance is very clear on how highly sensitive data should be handled in these circumstances, so there really is no excuse.