Data protection in the NHS
Recent high profile data protection breaches, such as the recent £500,000 fine for Facebook for allowing third parties to obtain user data, or the series of fines for Leave UK for various infractions during the run-up to the 2016 referendum, have demonstrated yet again that data protection law is not always respected when it matters most.
It is worth noting that many recent ICO fines have not been implemented under GDPR, as these events occurred prior to the new legislation coming into force. Most recent fines are in fact the result of breaches under the Data Protection Act, which is hardly a new kid on the legislative block.
The scale and far reaching effects of data misuse is having a fundamental influence on the structure of societies. The outcome of elections for example, both here and in many other parts of the world, have been influenced by the information citizens have access to on their smartphone; information which is not entirely factual and has been specifically tailored to encourage certain points of view.
It’s clear these types of data misuse cases are very different in nature than the old fashioned breaches we become all too familiar with back in the day. Gone are the unencrypted MoD work laptops left on buses and tube trains. Gone are the NHS hard drives up for sale on eBay.
So in these days of social engineering gone wrong, how is the NHS fairing? Have the days of large scale data breaches now disappeared for us?
In the 20 years I’ve worked in the NHS, I’ve seen massive changes in the technology being deployed. Undoubtable patient data is now better protected than ever before. Modern IT systems have intrinsic safeguards, such as audit trails, that allow for any data access to be monitored. It’s becoming rare now to find an IT system that doesn’t have the necessary security credentials.
Training in data protection is mandatory for NHS staff across the board. And while improvements in this area are always welcome, I have seen a much better uptake in data protection training compliance in all areas of the NHS.
But there is no room for complacency. Staff must always be reminded about the nuts and bolts of data protection. The need for basic due diligence can sometimes be lost in the noise of legislative and technological changes. Maintaining solid training and awareness programmes remains a key priority.
But like the concerns we all have with our own Facebook data, the emerging concerns for the NHS are very much to do with big data. Now that many areas of the NHS are entirely electronic rather than paper based, NHS data is not only a valuable and potentially profitable resource for third parties, it’s also in a format that can be easily transferred and processed in bulk.
With the advent of emerging technology, such as AI, keeping abreast of the technological changes and maintaining the confidence of patents to look after their data will continue to keep us on our toes.
If you’d like to find out more about the data protection service we offer please click here.