A London NHS trust is fined by the ICO after careless data management

An investigation into data handling by the Information Commissioner’s Office (ICO), has concluded with St George’s Healthcare NHS Trust in London being slapped with a vast financial penalty of £60,000. The fine is the fourth one given by the ICO in the last two months to various NHS institutions, with the message being that the ICO have no hesitation in hitting people hard in the pocket if they do not adhere to data protection legislation. The news emerges only two weeks after we reported that one of London’s biggest NHS trusts, Imperial College Healthcare, are facing an enquiry into the deaths of 25 patients due to bad data management.

According to the ICO, the St George’s NHS Trust were punished after twice sending sensitive personal medical records by post to an address that the patient had not occupied for half a decade. The mistake is perhaps inexplicable when taken into consideration that the particular patient had given the Trust their latest address preceding the medical appointment, and the correct address had even been logged on the NHS spine. This means staff had failed to check that details on their local patient database corresponded with those on the spine. The sensitive information included details of the patient’s physical examination and subsequent results, medical history and a health professional’s advice on the issue.

Questions will surely now be raised on the efficacy of the NHS spine, and staff faith in the system. The current deputy government CIO, Liam Maxwell, has previously criticised the spine and suggested the health service would benefit more from using health systems from either Google or Microsoft. The spine system incorporates three aspects to its design; The Personal Demographics Service (PDS), The Summary Care Record (SCR) and The Secondary Uses Service (SUS). The PDS stores patient demographic data and NHS Numbers. There is no opt-out facility for this but patients can choose to have their PDS as ‘sensitive’ to prevent their contact details being viewed by 831,000 staff. The SCR summarises clinical information, such as allergies and adverse reactions to medicine that a patient may have. Finally, the SUS intelligently uses patient data from their records to create anonymised and pseudonymised business reports and statistics for research, planning and public health delivery.

When explaining the justification of the hefty £60,000 fine, ICO head of enforcement Stephen Eckersley commented, “It’s hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it. This breach was clearly preventable and is the result of the Trust’s failure to make sure the contact details they have for their patients are accurate and up to date.”

Medical Specialists Pharmacy fully understands the fines being issued by the ICO. Respecting the Data Protection Act has always been at the core of our business practice and we demonstrate this in a number of ways such as:

. Private and confidential online consultations, these are discrete between the patient and doctor.
. Information is processed online over a secure and encrypted connection.
. All processing/dispensing is conducted done in-house.
. Patient details are seen by absolutely no third parties or doctors other than our own.
. We do not send spam, junk, or unnecessary correspondence via either post or email.
. Medications are dispatched (free of charge) through Royal Mail Special Delivery, meaning everything must be signed and accounted for, and will not simply be shoved through your letter box for anybody to get hold of.