NHS worst for data breaches - Information Commissioner
- Published
The NHS has reported the highest number of serious data breaches of any UK organisation since the end of 2007, the Information Commissioner's Office says.
David Smith, deputy commissioner at the ICO told the Infosec security conference the NHS had highlighted 287 breaches to it in the period.
That accounts for more than 30% of the total number reported.
The NHS - the UK's largest employer with 1.7m staff - is in the process of rolling out digital patient records.
Most of the breaches (113) were the result of stolen data or hardware, followed by 82 cases of lost data or hardware.
Big fines
Mr Smith said the problems were not confined to the public sector and that results could be skewed because the public sector has a culture of reporting all breaches whereas not all private sector firms did.
Richard Vautrey, the deputy chair of the British Medical Association's GPs committee thinks the number of breaches reflect the size and complexity of the NHS as well as its culture of openness.
"So many people have access to data and often human error is to blame. There is an increased attempt to be open and honest about what happens to data," he said.
He added that he was not aware of a specific case where a data breach had affected patient privacy or care.
"We need to keep their breaches in perspective," he said.
As part of its plans to digitise patient records, the NHS is asking patients if they want their data stored on national databases. It is important that people are given the chance to opt out, said Mr Vautrey.
Currently the reporting procedure for data breaches in the UK is voluntary although the ICO is "moving towards" a compulsory system.
In April the ICO introduced fines of up to £500,000 for serious data breaches.
Warning signs
The European Union's Telecoms Package requires telecom firms to report data breaches and Mr Smith said he expected this requirement to expand beyond telcos.
Data encryption firm PGP welcomed the tough new approach to data security.
"Finally the ICO, which has long demanded greater powers, will be able to severely punish those in serious breach of the Data Protection Act. For too long, organisations have continued to ignore the warning signs - risking both the privacy of their customers and the reputations of their brands," said Jamie Cowper, European marketing director at PGP.
He anticipates "severe fines" for the next private sector company to be involved in a serious data breach although he does not imagine the ICO will pursue the NHS.
PGP calculated that data breaches cost companies, on average, £67 per piece of data lost.