NHS Digital Grapples with Mass Data Breaches

More than a third of organisations that received unauthorised NHS data during the rollout of Care.data have failed to respond to NHS Digital’s request to destroy the records.

The news comes as NHS Digital approaches the end of a six month period during in which it agreed to remedy the unauthorised sharing of data under the now-defunct scheme.

Around 700,000 patient record opt-outs must be confirmed by 19th Ocotober.

Meanwhile, a number of other key undertakings are also expected, with the deadline having been agreed with the Information Commissioner’s Office.

47 of the 123 medical research information service customers and nine of the 28 non-MRIS customers that received unauthorised datasets had not responded to a request to destroy the data.

And 51 GP practices out of the 7,454 contacted had not yet submitted an up to date list of patients who have chosen to opt out of data sharing.

NHS Digital commented that they “have been working in consultation with the Information Commissioner’s Office to ensure that we meet the requirements of the undertaking.”

The figures will be particularly worrying to the public considering the involvement of Google in a public-private partnership with the NHS.

Google has been frequently criticised for privacy issues related to data, and the inability of NHS organisations to deal with these requests will be of concern.

There are also valid questions to be asked about the way that technology operates in the NHS.

Previous reports have suggested that the healthcare system is lagging behind private sector organisations, and this issue would once again suggest that this impression is accurate.

In April, NHS Digital signed an ICO undertaking committing to taking six steps to remedy the problem. These were as follows:

– contacting all 700,000 patients who opted out to tell them their data may have been shared against their wishes;

– contacting all customers who received unauthorised data sets from NHS Digital between January 2014 and April 2016 to inform them that, where possible, the data must be destroyed, deleted or replaced with a new dataset;

– establishing and operating a system to successfully process and uphold type 2 objections.
NHS Digital board papers published this month detail actions taken to fulfil the undertakings. These include:

– contacting 123 MRIS studies and 28 non-MRIS customers that received unauthorised data from NHS Digital, to instruct them to destroy any unused data;

– successfully developing a way of “cleaning” data files prior to dissemination, to completely remove the records of patients who have opted out and assure those patients that their files have been completely removed;

– increasing the proportion of GP practices collecting patient opt-outs to over 99 per cent of all GP practices – ensuring that most patients are informed of their options to opt-out.

Within NHS England, the Chief Data Officer’s team is responsible for the development and delivery of our strategy for the use of data at every level of the organisation.


Post a Comment