The Medical Defence Union is reminding general practices about the importance of protecting patient data after the Information Commissioner issued the first fines to organisations breaching the Data Protection Act.

Using new powers gained in April this year, the Commissioner issued a fine of £100,000 to Hertfordshire County Council for faxing information about a child abuse case to the wrong recipients, while an employment company was fined £60,000 for the loss of an unencrypted laptop containing the personal information of 24,000 people.1

While neither case involved a healthcare organisation, an article in the latest edition of inpractice, the Medical Defence Union's (MDU) journal for practice managers, says any organisation which handles highly sensitive patient information, particularly when held electronically, may be vulnerable to such losses.2 For example, in September this year East and North Hertfordshire NHS Trust was found to have breached the Data Protection Act 1998 (DPA) after a junior doctor mislaid an unencrypted USB stick which held details of patient's conditions and medications.

Inpractice medical editor and MDU medico-legal adviser, Dr Beverley Ward, said:

"The Information Commissioner's office will only impose fines for serious, deliberate or reckless breaches of the DPA, such as using unencrypted laptops containing personal information. While it may be unlikely that practices will fall foul of such a sanction, it is very important to have robust systems in place to protect patient data.

"The Commissioner expects data controllers, such as GPs, to take reasonable steps to prevent such breaches of the Act, such as carrying out a risk assessment or having a policy in place to encrypt all portable devices including laptops. Electronic data can be particularly vulnerable, because it is more easily transmitted and portable."

The MDU's article includes the following advice for practices:

- Avoid storing identifiable personal data on mobile devices.

- Have an information security policy in place of which all staff are aware.

- Never store patient data on your personal computer.

- Be aware of relevant ethical and legal guidance, specifically from the GMC and the NHS.

- Report any loss of data straightaway to the nominated senior person in your practice, so that action can be taken to prevent further breaches and the Information Commissioner can be informed, if appropriate.

1. First monetary penalties served for serious data protection breaches, Information Commissioner's Office press release, 24 November 2010 See here

2. Tougher sanctions for patient data breaches, inpractice Journal, Volume 6 Issue 1, December 2010 MDU

Source:
Medical Defence Union (MDU)