Yesterday’s Sun on Sunday carried details of the latest data protection issue in the NHS, concerning medical details of 600,000 patients.
Data was ‘over collected’ by GE Healthcare and then sent back to the US, despite the Data Protection Act clearly highlighting the need to keep data within the European Economic Area unless robust safeguards are in place.
The data included clinical data and records of weight, age and height and while the company became aware of the fault last year, the Information Commissioner’s Offfice was only notified last month.
NHS Trusts affected were also told, however it appears none decided to notify patients about the incident.
Patients will be shocked to hear that this kind of mistake can happen with details of serious illnesses and their treatments – and that they were not told when it did. Next time the information could be far more serious.
The incident also highlights why it is incredible that the Information Commissioner still requires permission before he can investigate how the NHS protects confidential patient information. The fact this all happened by accident should add further impetus to the need for the ICO to fully investigate the way that cloud and off-shore data services impact on patient privacy.
There should be an urgent investigation into just how many NHS bodies are sending data to other countries to save a few pennies, potentially putting patient privacy at serious risk.