Well, I’d been hoping for a quiet Christmas away from the PC, but it was not to be… News broke today, Sunday, of yet more public sector data breaches. And once again it’s the Department of Health which is facing a diagnosis of poor security process.
Only a couple of days ago John-Paul Kamath reported on the Information Commissioner’s Office ruling that the DoH had breached the data protection act, by failing to properly protect personal details entered into the Medical Training Application Service website. Now it’s the patients’ data that the DoH has confessed hasn’t been getting quite the treatment it deserves.
Losing trust in the Trusts
The BBC has reported that nine NHS trusts have lost patient data, with up to 168,000 people affected. The reported incidents include the loss of a disc containing the names and addresses of 160,000 children, which failed to arrive at the hospital to which it was being sent by City and Hackney Primary Care Trust. According to the Times, the losses were uncovered during a data security review.
The Department of Health has said that affected patients have been informed – and certainly I know a couple of individuals in my local area who’ve already received letters from Sutton and Merton, one of the trusts that has confessed to a breach. It’s good to know that they are at least confessing to the problems and attempting to address them, but it’s still worrying. Especially if my fellow blogger David Lacey is right, and the situation is much worse than the public realises!
As in the high-profile HMRC case, this latest public sector confession once again concerns the physical, accidental loss of media – data sticks, discs, laptops… As Stuart King has previously noted in his blog on the 2007 data breach survey, it’s this kind of accidental loss that is actually the most frequent cause of data breaches.
The dangers of abstraction
Perhaps it’s not that surprising. For one thing, with the ability to store and transport such large amounts of data about so many individuals in one relatively small, single object, it’s certainly far easier to lose far more in one go than would have been possible even ten years ago.
But I wonder whether the abstraction of the data doesn’t also help to raise the risk.
A USB stick containing the personal medical records of 160,000 people or a commercially sensitive presentation looks the same as one holding a few holiday snaps – or nothing at all. I suspect it’s easier to get a little careless about something that seems, on the face of it, anonymous and replaceable, than it would be with say, paper records, x-ray films, or a diary. Even though there is no doubt that just as much (if not more) real world damage could be done to the individuals concerned should the data fall into the wrong hands.
I can still remember earning some holiday cash boxing records for the clinic at my father’s GP surgery as a teenager, in the pre-computerisation days of the NHS. The paper records were held in big brown cardboard files with just the name, data of birth, and address visible on the outside. I was far too much of a good girl to sneak a peak inside, but nevertheless you could gather a sense of each individual’s life from the state of their records. The blue and red printed covers told you clearly that this was a man or woman, and the chunkiness of the records relative to the person’s age gave you a pretty clear idea of their general state of health. Babies had crisp, flat folders, almost empty, every bit as new to the world as they were. Older people might have numerous folders, some of them yellowing and softened so much that the edges of the card almost turned to dust in your hands. My own, following a number of operations as a child, was pretty chunky itself! (And, okay, I did read that one…)
Perhaps I’m a little too given to sentiment, but the physical presence of those files in my hands always used to impress me with the sense of those real lives to which they related. And as a result, I took great care when I went about my work there. Would I have been quite so careful if all I’d had to do was drag and drop a few records about on screen? Sadly, I’m not so sure…