NHS Data losses an accident waiting to happen

Technology used by public authorities made data security breaches “an accident waiting to happen”, a privacy official warned.

Jonathan Bamford, assistant information commissioner, said too many institutions failed to ensure that they had the electronic tools to limit the confidential details they held and prevent them being copied.

His comments come before the launch by the Information Commissioner’s Office of a report aimed at helping institutions improve public confidence in the ability of the public and private sectors to handle personal data.

Mr Bamford said in an interview that embarrassing data losses by government organisations were part of the price institutions were paying for bolting data security safeguards on as an afterthought rather than designing systems with them in mind.

He said: “It was obviously a bit of an accident waiting to happen. They are all things where people have messed up rather than acted in a malevolent way, which says a lot about what the safeguards were in the technology itself.”

Mr Bamford said organisations should invest more in so-called “privacy enhancing technologies” aimed at minimising the risk of losing sensitive data.

These include stopping information being downloaded on to memory sticks, barring the collection of unnecessary details and giving staff access to data on a need-to-know basis only.

Mr Bamford said: “We have seen the shortfall in the way organisations have approached personal information and have not really valued it.”

Public officials and corporate executives have come under intensifying pressure on data security as the Information Commissioner’s Office and other data watchdogs broadened their assault on bad practices highlighted by Revenue & Customs loss last year of details relating to 25m people.

Companies accounted for 80 of 277 data security breaches reported to the Information Commissioner’s Office during the year to October, ahead of 75 by the National Health Service and other healthcare providers, and 54 by local and central government.

Mr Bamford said private and public organisations should have done better, as data protection law was not “some new-fangled thing” but dated back almost a quarter of a century.


Comments are closed. Posted by: Health Direct on