According to theregister.co.uk, the UK’s Information Commissioner’s Office has been criticized for the fines it’s been levying on NHS bodies. If you’re a regular reader of this blog, you won’t be surprised to hear that the ICO has been regularly handing out fines — sometimes in the six figures — for data breaches where data security software like AlertBoot disk encryption for patient data was not used.
But, it looks like some people in the government are. Tellingly enough, they’re people who are related to the NHS.
Innocent Patients Affected
Christopher Fincken, the chairman of the UK Council of Caldicott Guardians, has singled out the ICO for the penalties it is levying on NHS trusts, based on a report that noted:
the money NHS bodies were using to pay fines levied on them by the Information Commissioner’s Office for serious breaches of the Data Protection Act “effectively come[s] out of funding patient care”[theregister.co.uk]
“What is a Caldicott Guardian?” you may be asking. A Caldicott Guardian “a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing,” according to connectingforhealth.nhs.uk. The site also notes that each NHS organization is required to have one.
it was “quite wrong” that “the innocent patient” could suffer if NHS bodies were cutting funding to patient services in order to pay data breach fines. He said that “there needs to be a different mechanism, a fairer way” to punish data breach offenders, adding that “relevant officers” in the NHS had to be held “responsible and accountable” over the cases.
Can you find anything wrong with Fincken’s viewpoints? The ICO can (my emphasis):
In response a spokesperson for the ICO told Out-Law.com that NHS bodies can avoid wasting public money by better protecting personal data.
Data Breaches Affect Innocent Patients, Too
The ICO is correct, of course. In fact, if I may add some fuel to the fire, I find it highly bizarre that a Caldicott Guardian — who is essentially charged with patient data protection — has the gall to come out on the side of the NHS when it’s been shown time and time again that it’s terrible at data protection. Data breaches are expected from time to time — I often note that the perfect security solution does not exist — but lines should be drawn when data breaches are egregious in nature.
I don’t think anyone will dispute that monies diverted from the NHS to Treasury (the ICO doesn’t keep the money) is probably a bad thing, especially when it affects or has the potential to affect patients’ sense of well-being.
On the other hand, lax attitudes regarding patient data are also bad for their well-being as well. Can you imagine getting medical attention only to find that a data breach at the NHS has led to identity theft?
Perhaps the answer lies in a third way.
The ICO has been asking for the power to imprison people. They actually refer to it as custodial sentences for breaches of the Data Protection Act, and the issue has been ongoing since 2008, at least, when the Secretary of State was given the power to introduce custodial sentences under the Criminal Justice and Immigration Act.
Locking people up in the slammer is a non-financial alternative that the ICO could use to ensure that the NHS and other organizations follow the rule of the law. Seeing the head of a NHS trust in prison would not directly affected patients, as opposed to doctors or nurses.
On the other hand, is it a logical alternative to monetary fines? For example, what if a doctor loses an unencrypted company laptop, but the NHS chief ordered that all computers be encrypted, and the IT department swears that they took care of it? Who’s to blame in this case and face the possibility of incarceration?
Related Articles and Sites: