Between January and April 2009, a total of 140 security breaches were reported by NHS bodies to the Information Commissioner’s Office. Examples of security breaches include the loss of an encrypted memory stick carrying medical details of over 6,000 prisoners (an attached note set out the password) and the theft of an unencrypted unsecured laptop carrying 10,000 GP patient records. To date, these incidents have, so far resulted in informal enforcement action. The introduction of a new regime of direct fines due to be implemented in the second half of 2009, is set to increase the pressure on NHS bodies to avoid data protection breaches in future.

The number of reported NHS data losses in the first half of 2009 exceeded that reported by central government and local authorities combined. Over this period the Information Commissioner’s Office (ICO) took enforcement action against 14 different NHS bodies. The ICO has reminded the NHS that "Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them. Ultimately, the organisations risk losing the confidence of patients and their families."

Currently, the ICO lacks the direct powers to impose fines or other sanctions on NHS bodies that have breached data protection rules. Enforcement action takes place on a relatively informal basis with NHS bodies being invited to make specified improvements in practice within a given timetable. However, new powers inserted last year into the Data Protection Act 1998, expected to come fully into force later this year, will greatly enhance ICO powers to intervene in serious cases. These powers will enable the ICO to fine organisations that have seriously contravened the Data Protection Act. The powers will be triggered where there is a breach of the DPA which is either deliberate or which occurs in circumstances where the responsible organisation knew or ought to have known of the risk of the breach. The powers may be used where the breach in question is of a kind likely to cause substantial damage or substantial distress and the organisation responsible for the data has failed to take reasonable steps to prevent the breach.

When the new regime comes into force later in the year, ICO will be able to impose fines using a system of Penalty Notices. The use of Penalty Notices is to be governed by a code of practice that has yet to be published. The maximum penalty is yet to be prescribed, although the ICO has called for powers to issue unlimited fines. Recipients of Penalty Notices will have an opportunity to make representations prior to the fixing of any fine and there is to be a formal appeals process.

The introduction of the new penalty regime has important implications for the NHS bodies. NHS bodies have long been expected to have in place extremely robust systems for managing patient data. This is in order to comply with the duty of confidentiality, the Human Rights Act and the Data Protection Act as well as local governance requirements and the Caldicott Principles. It will therefore be particularly difficult for NHS bodies with inadequate systems to argue about the extent to which their data security arrangements are "reasonable" or to claim that breaches are unlikely to cause substantial damage or distress.

In view of the fact that so many of the reported NHS data losses concern incidents involving digital media, there is a need for all NHS bodies to review the local use of such media and to ensure that all staff are fully aware of data protection principles and local policies.

More information

If you are concerned about possible breaches of the Data Protection Act within your organisation, our team of specialist data protection lawyers can help. Morgan Cole is a provider of data protection training, accredited by the British Computer Society. Further information is available from our dedicated microsite.