Despite uncovering thousands of cases of patient information being wrongly disclosed to third parties a recent review into the sharing of medical records with private sector companies endorses the practice.
The Daily Telegraph reports that the review, conducted by Sir Nick Partridge found that “tens of thousands of records were wrongly passed to third parties”. However Sir Nick argued that the proper checks and balances were now in place.
This is not the first time questions have been raised about the NHS’ ability to keep patient data secure. Earlier this month Big Brother Watch published NHS Data Breaches, a report into the subject (PDF). It found that data security is an ongoing problem, over the last four years patient confidentiality had been breached at least 7,255 times.
The major issue to be resolved is the level of deterrent the Data Protection Act 1998 poses to individuals who are intent on breaking its provisions. Currently the courts can only hand down a fine to those guilty of maliciously breaching the terms of the Act.
Following Monday night’s confused debate on EU Justice and Home Affairs powers it has been revealed that the Government is embarking upon a scheme that would give European states limited access to the UK DNA database and potentially pave the way to a linking of the UK and EU databases.
This is a worrying development, made more so by the fact that, as the Financial Times reported, the move seems to have been made to appease certain member states who were concerned about the UK’s withdrawal from other EU police schemes.
It is disappointing that after sticking to their promise to stay out of the wider Prüm Convention, the Government seems to be getting close to implementing it in all but name, prioritising the wishes of other states over the safety of its own citizens.
The Lib Dems have well and truly kicked off the next election cycle with the publication of their pre-manifesto (PDF); essentially a draft of what will become their manifesto in 2015.
The document contains a number of pledges on civil liberties, including:
- The introduction of a new Freedoms Bill to protect the public from state intrusion and extend access to information.
- Passing a Digital Bill of Rights, to protect people from “unacceptable intrusion” by organisations and give them more control of their data.
- Identifying alternatives to secret courts.
- Supporting net neutrality and the freedom of the internet.
- Ensuring the proper oversight of our security services.
- Safeguards for stop and search will also be improved, this will include tighter guidance and mandatory body-worn cameras for officers deployed with Section 60 stop and search powers.
The idea of a new Freedoms Bill is encouraging; the Protection of Freedoms Act 2012 introduced some real improvements. It is necessary that any new Bill continues on these lines and extends safeguards to protect members of the public from unwarranted and excessive state surveillance. Key to this is the expansion of judicial authorisation for surveillance warrants, for more details on how this can be achieved please read our paper on the subject: Enhancing surveillance transparency: A UK policy framework (PDF).
The idea of a Digital Bill of Rights is something that Big Brother Watch has supported for some time. It is vital that the personal data of members of the public is given greater protection, something that a Bill of this kind has the potential to do. It is also clear that the free and neutral nature of the internet is under threat by both government institutions and private companies. If this continues, other countries around the world have threatened policies that would lead to the “Balkanisation” of the Internet, wherein countries no longer trust each other and set about carving the web into separate national internets. Any proposals should aim to reflect Sir Tim Berners-Lee’s call to safeguard the principle that the internet should be an “open, neutral” system.
In what is becoming an ever more regular occurrence for the NHS, it has been reported that the East Midlands Ambulance Service has lost a disk containing the notes of 42,000 patients’ who had been treated by paramedics in the last few months.
This incident once again underlines the dangers of organisations holding increasing amounts of personal information about individuals both electronically or in paper format. It seems obvious that the greater the amount of information that is held in one place, the more likely it is to go missing, either by accident or as the result of a deliberate breach. Indeed, just last week Kent Social Care Professionals unintentionally sent out an email containing the names, addresses and phone numbers of 120 elderly and vulnerable individuals to nearly 200 people.
Accidental leaks such as this make the need for proper data protection training amongst staff painfully apparent. If an organisation knows that it is going to hold large amounts of personal information, about staff or customers, it should ensure that its employees know their responsibilities under the Data Protection Act 1998 (DPA). Of course this cannot help to stop those who wish to purposely breach data protection law. This can only be achieved by improving the sanctions that are available to punish those who seek to misuse personal information.
The Edited Electoral Register (EER) has come under fire in the past few weeks, with a series of reports indicating that the Register is proving to be more trouble than it is worth. To add fuel to the fire, the Local Government Association (LGA) has called for the sale of the EER to be stopped and the register itself to be scrapped.
Councillor Peter Fleming, Chair of the LGA’s Improvement Board has hit the nail on the head with what is wrong with the EER, arguing that councils resent having to pass “the electoral roll onto direct marketing companies”, continuing that “it demeans our democracy for the voters’ details to be sold off to help direct marketing companies make money.”
Indeed, one of the main problems with the EER is that it is of benefit to no one but the very marketing companies that purchase the data. In fact it is especially troublesome for residents who find themselves being deluged with junk mail due to their councils being forced to sell it on.
A single case has managed to combine all that is worrying about the way in which local councils carry out traffic enforcement. The story, reported in the Daily Mail, showed that after being caught on CCTV a driver was subsequently tracked down by bailiffs using a combination of mobile Automatic Number Plate Recognition (ANPR) and their access to the DVLA database.
The use of CCTV for handing out traffic fines is something that has raised concerns from a number of sources, for example Eric Pickles, Secretary of State for Communities and Local Government, who accused councils of “bending the law as a means of filling their coffers with taxpayers’ cash.” The Surveillance Camera Commissioner (SCC) also published guidance on this practice, stating that cameras should only be used “when other means of enforcement are not practical”.
Research by Big Brother Watch (PDF) has highlighted that the use of static CCTV to tackle parking and traffic violations has proved lucrative for local councils, bringing in over £179m in 5 years. This reinforces Eric Pickles’ concerns that CCTV cameras are in fact being used to raise revenues, rather than actually improve traffic conditions.
Finally clarifying what was already widely accepted, a publication by the Information Commissioner’s Office (ICO) has confirmed that surveillance legislation is “complex”. “Surveillance Road Map” (PDF) seeks to set out the responsibilities of each body tasked with overseeing the laws that govern surveillance as well as highlighting some of their overlapping functions.
One of the aims of the guidance is to show members of the public “the avenues available to challenge or complain about any alleged breach of surveillance legislation”. Whilst this is a laudable aim it misses the real problem: that in too many cases roles are unnecessarily duplicated.
One prime example is of the Surveillance Camera Commissioner (SCC) and the ICO. The guidance states that the two bodies’ CCTV Codes of Practice “dovetail”; in fact they repeat each other. There is no reason for both bodies to be responsible for CCTV oversight. As the document points out the SCC has no “complaints handling or enforcement function”. Action should be taken to rectify this, as a result the SCC could be made responsible for a single, enforceable Code of Practice and the ICO would be able to focus more attention on its other functions.
Even plans made with the best of intentions can go awry. In a speech made last week, Mark Hoban, a former Minister of State for Work and Pensions, floated the idea of combining previously separate personal financial information into a single database.
Mr Hoban argued that “It would be great if we could use the Retirement Saver Service to store data on their savings, pensions – state and private – and housing”. The idea is that it would give individuals a clearer idea of their current savings situation as well as helping to signpost any necessary action they would need to take in the future.
At the moment the regulatory framework simply isn’t good enough to ensure that another new database would be secure. The sanctions that are available for punishing those who misuse personal information and break the Data Protection Act 1998 are almost non-existent. At present the most any breach will receive is a fine, there is no option for a court to hand down a custodial sentence. When compared to the financial gains that can be made through selling the information on, a, usually small, fine cannot be considered to be an effective deterrent.
South Central Ambulance Service has found itself on the wrong side of the Information Commissioner’s Office (ICO) after it accidentally published the Equality and Diversity information of members of staff on its website. What’s worse is that the Trust was alerted to the data breach by the ICO, rather than by someone in the Trust itself.
We have previously warned about the serious data breaches that can occur in the NHS, with our report highlighting more than 806 separate incidents where medical records were compromised. This incident shows that patients aren’t the only ones at risk of a having their data compromised by the NHS.
The ICO found that the Trust had published 2825 current and former members of staff’s personal details on its website, with information including the individual’s name, job and work location, nationality, marital status, age, gender, ethnic origin, disability, religious belief and sexual orientation.
An investigation by the Press Association has revealed 300 serious data breaches in the Metropolitan Police Service (MPS), including information being passed on or sold to journalists. These revelations are likely to have a direct impact on the level of trust between the public and police, so it is essential that MPS now launches an urgent review into the security measures used for confidential and sensitive information.
With increasing amounts of information being collected by police forces, these data breaches make it clear that there is simply not enough has been done to ensure it is protected. The information held on police computers is of huge significance and for details to be disclosed, maliciously accessed or lost is completely unacceptable.
The 300 breaches, which cover a five year period, and range from minor rule-breaks on social media to serious allegations of misconduct leading to arrests. The instances include: