South Central Ambulance Service has found itself on the wrong side of the Information Commissioner’s Office (ICO) after it accidentally published the Equality and Diversity information of members of staff on its website. What’s worse is that the Trust was alerted to the data breach by the ICO, rather than by someone in the Trust itself.
We have previously warned about the serious data breaches that can occur in the NHS, with our report highlighting more than 806 separate incidents where medical records were compromised. This incident shows that patients aren’t the only ones at risk of a having their data compromised by the NHS.
The ICO found that the Trust had published 2825 current and former members of staff’s personal details on its website, with information including the individual’s name, job and work location, nationality, marital status, age, gender, ethnic origin, disability, religious belief and sexual orientation.
The individual’s affected will rightly want to know why someone thought it was appropriate to publish such sensitive and confidential information and why nobody in the Trust itself noticed that it had happened. It would not be unfair to suggest that this incident indicates that the data protection training and monitoring in the Trust may well be lax, and that urgent steps need to be taken to prevent a similar incident from recurring.
In response to the breach, the Trust has responded by stating: “We have undertaken a thorough review of all our published information on the website (over 2000 documents) and we can confirm that this was the only document affected. We take our information governance responsibilities very seriously and we have been cooperating fully with the Information Commissioners Office throughout this investigation.”
From our own research and incidents like this one it is abundantly clear that far too many data breaches occur within the NHS and the public services as a whole. Whilst some of the incidents that occur are the produce of human error, there are others that are the result of malicious acts. Big Brother Watch remains clear that the punishments available for those found guilty of breaking the Data Protection Act are currently a poor deterrent and that far more could be done to ensure that those who purposefully seek to abuse access to our data face harsher penalties.
At present those who maliciously obtain of disclose our data currently face a maximum fine of £5,000 if the case is heard in a Magistrates Court and an unlimited fine in a Crown Court. We, alongside the ICO, the Home Affairs Select Committee, Lord Leveson and the Justice Select Committee, continue to call for custodial sentences to be an available punishment for those found guilty of breaking section 55 of the Data Protection Act.