Howard Freeman has over 30 years expertise in Cyber Security and Compliance and has supported big corporates as well as SMEs on the challenges around data compliance and GDPR serving domestic and international clients, across Europe, the USA, Australasia, South America, South Africa and beyond.
“The NHS has always had data breaches which have mostly been minor and therefore not publicly reported. However, the ICO reporting that the three and a half thousand health care breaches in the last two years were mainly from within the NHS, is alarming. The private sector is not much better, as we see every day, as many clinics and practices don’t really understand the full responsibilities they have to clients and for compliance to the GDPR. Most still believe that a Privacy Notice on their web site and registering with the ICO is sufficient for compliance. Nothing could be further from the truth, and it is this lack of education that is causing high levels of breaches.
“Despite this major problem the Government saw fit to announce the GP DPR (General Practice Data for planning and research). Sounding not unlike the GDPR, was this new acronym designed to confuse or perhaps to draw attention to the data protection regulation? It seems unlikely. Thankfully, the Government has now put this project on hold. The 866 incidents of the last year to March 2021, clearly demonstrates that the NHS is in no position to engage in a major data management initiative. The NHS should stop the leaks and breaches prior to starting this major project.
“The 456 instances where data was sent to the wrong recipient is particularly alarming. Whilst little information relating to the detail behind these errors has been made available, one can only imagine the reasons for this. The NHS is hugely overworked, and the pandemic has not helped this situation. Staff may have been rushing to meet deadlines and mistakes can be made. Loss of paperwork and computing devices is unacceptable and needs investigation. The loss of devices represents an increased cost to the already overstretched NHS budget. An understanding of how and why this is happening needs to be found.
“The 225 cases where data was stolen, lost or left in a non-secure location suggests lack of training and the failure to create a data secure culture, even in a high intensity environment, is of great concern.
“Such mistakes have had serious consequences for the victims which is unforgivable. However, valuable NHS money is then being paid to the victims not to mention legal fees in the form of compensation. Taxpayers don’t pay the NHS for compensation and legal fees; they pay for healthcare and hospitals. With GP’s saying they will opt out all of their patients from the GP DPR and the project likely to get underway in September, the NHS must repair its internal data management before embarking on this exercise.
“When it comes to using health information there are particular safeguards that must be put in place to protect people’s privacy and the success of any project will rely on people trusting and having confidence in how their personal data will be used. There seems to be a serious problem inside the some of our largest institutions”.