BreachExchange mailing list archives
Warnings after PCT data protection breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Tue, 2 Oct 2012 21:55:05 -0400
http://www.hsj.co.uk/news/legal/warnings-after-pct-data-protection-breach/5050004.article Lawyers have warned of the legal limits on sharing information with private companies when running preventative initiatives after a primary care trust was found to have broken the Data Protection Act. The Information Commissioner found NHS Bournemouth and Poole had breached the act by passing patient information to a company it had commissioned to carry out NHS health checks without patients’ consent. Contact details of 3,700 patients identified as likely to benefit from a cardiovascular health check were passed from GP practices to Enhanced Healthcare Services. One patient complained after being telephoned by the company. In a report to last week’s trust board meeting, Bournemouth and Poole interim chief executive Suzanne Rastrick said the ICO had upheld the complaint and found that the first principle of the act, that personal data shall be processed fairly and lawfully, was breached by the PCT. She said the ICO had decided not to take any regulatory action on this occasion “due to the information governance processes that the PCT can demonstrate are in place” and because the PCT had agreed to write to all of the patients who were contacted by the firm. HSJ understands the PCT does have procedures in place but on this occasion they were not followed. Anne Crofts, partner at DAC Beachcroft, told HSJ the NHS had “historically” worked on an “implied consent model” where there is an assumption patients consent to their confidential data being used by the team involved in the care episode the patient has initiated. However, she warned there were “particular issues” with preventative risk stratification exercises like Bournemouth and Poole’s. “The difficulty arises here when the patient hasn’t initiated the contact,” she said. “If the patient doesn’t know beforehand their confidential information will be shared and how they could object you can’t assume that consent is freely given.” Mills and Reeve Associate Lucy Johnston told HSJ a solution would have been for the GP practice to send out the letters on behalf of the company inviting patients to contact the company directly. “There is an increased sensitivity amongst patients around sharing information with new and private providers (as opposed to NHS organisations). This requires careful thought and management,” she said. An ongoing review of the Caldicott principles of patient confidentiality, due to report in March next year, is expected to provide further advice and guidance on sharing information with independent sector providers. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Warnings after PCT data protection breach Jake Kouns (Oct 04)