Our new report, NHS Data Breaches (PDF), highlights the scale of data breaches in the NHS. The research reveals examples of medical data being lost, shared on social media, and inappropriately shared with third parties.
The report shows that between 2011 to 2014, there have been at least 7,255 breaches. This is the equivalent to 6 breaches every day. Examples of the data breaches include:
- At least 50 instances of data being posted on social media
- At least 143 instances of data being accessed for “personal reasons”
- At least 124 instances of cases relating to IT systems
- At least 103 instances of data loss or theft
- At least 236 instances of data being shared inappropriately via Email, letter or Fax
- At least 251 instances of data being inappropriately shared with a third party
- At least 115 instances of staff accessing their own records.
- There have been at least 32 resignations during the course of disciplinary proceedings.
- There is 1 court case pending, for a breach of the Data Protection Act. In this instance the individual may have also resigned prior to proceedings.
As well as considering the number of data breaches within the NHS, the report reflects on the legislation that is in place to address them, highlighting that the Data Protection Act 1998 (DPA) has a number of flaws that must be corrected. A criticism of the DPA is that it does very little to discourage those who are seriously considering breaking data protection legislation and makes it harder to clamp down on the individuals and organisations that knowingly flout the rules by accessing and in some cases selling personal information to third parties.
As a result, Big Brother Watch proposes three measures that should be introduced, including introducing the option of custodial sentences and criminal records for the worst offenders and providing better training.
Emma Carr, director of Big Brother Watch, said: “The information held in medical records is of huge personal significance and for details to be wrongly disclosed, maliciously accessed or lost is completely unacceptable.
“With an increasing number of people having access to patients’ information, the threat of data breaches will only get worse. Urgent action is therefore needed to ensure that medical records are kept safe and the worst data breaches are taken seriously.
“ If the government wants to make the public’s data more accessible, then this must go hand in hand with greater penalties for those who abuse that access. This should include the threat of jail time and a criminal record.”