In what is becoming an ever more regular occurrence for the NHS, it has been reported that the East Midlands Ambulance Service has lost a disk containing the notes of 42,000 patients’ who had been treated by paramedics in the last few months.
This incident once again underlines the dangers of organisations holding increasing amounts of personal information about individuals both electronically or in paper format. It seems obvious that the greater the amount of information that is held in one place, the more likely it is to go missing, either by accident or as the result of a deliberate breach. Indeed, just last week Kent Social Care Professionals unintentionally sent out an email containing the names, addresses and phone numbers of 120 elderly and vulnerable individuals to nearly 200 people.
Accidental leaks such as this make the need for proper data protection training amongst staff painfully apparent. If an organisation knows that it is going to hold large amounts of personal information, about staff or customers, it should ensure that its employees know their responsibilities under the Data Protection Act 1998 (DPA). Of course this cannot help to stop those who wish to purposely breach data protection law. This can only be achieved by improving the sanctions that are available to punish those who seek to misuse personal information.
The Edited Electoral Register (EER) has come under fire in the past few weeks, with a series of reports indicating that the Register is proving to be more trouble than it is worth. To add fuel to the fire, the Local Government Association (LGA) has called for the sale of the EER to be stopped and the register itself to be scrapped.
Councillor Peter Fleming, Chair of the LGA’s Improvement Board has hit the nail on the head with what is wrong with the EER, arguing that councils resent having to pass “the electoral roll onto direct marketing companies”, continuing that “it demeans our democracy for the voters’ details to be sold off to help direct marketing companies make money.”
Indeed, one of the main problems with the EER is that it is of benefit to no one but the very marketing companies that purchase the data. In fact it is especially troublesome for residents who find themselves being deluged with junk mail due to their councils being forced to sell it on.
A single case has managed to combine all that is worrying about the way in which local councils carry out traffic enforcement. The story, reported in the Daily Mail, showed that after being caught on CCTV a driver was subsequently tracked down by bailiffs using a combination of mobile Automatic Number Plate Recognition (ANPR) and their access to the DVLA database.
The use of CCTV for handing out traffic fines is something that has raised concerns from a number of sources, for example Eric Pickles, Secretary of State for Communities and Local Government, who accused councils of “bending the law as a means of filling their coffers with taxpayers’ cash.” The Surveillance Camera Commissioner (SCC) also published guidance on this practice, stating that cameras should only be used “when other means of enforcement are not practical”.
Research by Big Brother Watch (PDF) has highlighted that the use of static CCTV to tackle parking and traffic violations has proved lucrative for local councils, bringing in over £179m in 5 years. This reinforces Eric Pickles’ concerns that CCTV cameras are in fact being used to raise revenues, rather than actually improve traffic conditions.
Finally clarifying what was already widely accepted, a publication by the Information Commissioner’s Office (ICO) has confirmed that surveillance legislation is “complex”. “Surveillance Road Map” (PDF) seeks to set out the responsibilities of each body tasked with overseeing the laws that govern surveillance as well as highlighting some of their overlapping functions.
One of the aims of the guidance is to show members of the public “the avenues available to challenge or complain about any alleged breach of surveillance legislation”. Whilst this is a laudable aim it misses the real problem: that in too many cases roles are unnecessarily duplicated.
One prime example is of the Surveillance Camera Commissioner (SCC) and the ICO. The guidance states that the two bodies’ CCTV Codes of Practice “dovetail”; in fact they repeat each other. There is no reason for both bodies to be responsible for CCTV oversight. As the document points out the SCC has no “complaints handling or enforcement function”. Action should be taken to rectify this, as a result the SCC could be made responsible for a single, enforceable Code of Practice and the ICO would be able to focus more attention on its other functions.
Even plans made with the best of intentions can go awry. In a speech made last week, Mark Hoban, a former Minister of State for Work and Pensions, floated the idea of combining previously separate personal financial information into a single database.
Mr Hoban argued that “It would be great if we could use the Retirement Saver Service to store data on their savings, pensions – state and private – and housing”. The idea is that it would give individuals a clearer idea of their current savings situation as well as helping to signpost any necessary action they would need to take in the future.
At the moment the regulatory framework simply isn’t good enough to ensure that another new database would be secure. The sanctions that are available for punishing those who misuse personal information and break the Data Protection Act 1998 are almost non-existent. At present the most any breach will receive is a fine, there is no option for a court to hand down a custodial sentence. When compared to the financial gains that can be made through selling the information on, a, usually small, fine cannot be considered to be an effective deterrent.
South Central Ambulance Service has found itself on the wrong side of the Information Commissioner’s Office (ICO) after it accidentally published the Equality and Diversity information of members of staff on its website. What’s worse is that the Trust was alerted to the data breach by the ICO, rather than by someone in the Trust itself.
We have previously warned about the serious data breaches that can occur in the NHS, with our report highlighting more than 806 separate incidents where medical records were compromised. This incident shows that patients aren’t the only ones at risk of a having their data compromised by the NHS.
The ICO found that the Trust had published 2825 current and former members of staff’s personal details on its website, with information including the individual’s name, job and work location, nationality, marital status, age, gender, ethnic origin, disability, religious belief and sexual orientation.
An investigation by the Press Association has revealed 300 serious data breaches in the Metropolitan Police Service (MPS), including information being passed on or sold to journalists. These revelations are likely to have a direct impact on the level of trust between the public and police, so it is essential that MPS now launches an urgent review into the security measures used for confidential and sensitive information.
With increasing amounts of information being collected by police forces, these data breaches make it clear that there is simply not enough has been done to ensure it is protected. The information held on police computers is of huge significance and for details to be disclosed, maliciously accessed or lost is completely unacceptable.
The 300 breaches, which cover a five year period, and range from minor rule-breaks on social media to serious allegations of misconduct leading to arrests. The instances include:
From passing on incorrect information to snooping on friends, a number of shocking data protection breaches in police forces have been uncovered. With hundreds of incidents every year it is time to start asking whether it is too easy for police databases to be abused to snoop on innocent people.
Big Brother Watch has long been concerned about the number of data breaches occurring within police forces. In 2011, we published the report ‘Police Databases: How More Than 900 Staff Abused Their Access’. The report highlighted a shocking number of data protection breaches and the subsequent limited number of punishments that were handed out. We also commented on the recent case of a police officer being charged with stealing thousands of accident victims’ details from her police force’s computer to sell to law firms.
Last week we wrote about the leaflet that every household will be receiving from NHS England detailing serious changes to the way our medical records are shared. We warned that such a lacklustre scheme to inform the public is arguably illegal under data protection law and goes against the Government’s commitment to give patients control over their medical records.
Today, the British Heart Foundation, Arthritis Research UK, Cancer Research UK, Diabetes UK, the Academy of Medical Sciences, the Medical Research Council and the Wellcome Trust have launched an advertising campaign encouraging people not to opt out of the initiative.
Quite simply, patients should not be forced, or feel pressured, to take part in a scheme that involved sharing details contained in their medical records. Especially at a time when NHS England has failed to properly inform patients about how medical records will be shared and which organisations will be able to see them.
We are barely into 2014, yet we are faced with yet another serious data protection breach concerning a public sector computer. On this occasion, a police officer has been charged with stealing thousands of accident victims’ details from her police force’s computer and selling them to law firms
This case alone highlights that serious need for our courts to issue much tougher penalties for unlawfully obtaining or disclosing personal information, otherwise these cases will continue to occur.
A court has heard that Sugra Hanif accessed Thames Valley Police’s command and control computer to note down the personal details of members of the public involved in road traffic accidents, including the unique reference number each incident was given.