Warnings after PCT data protection breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.hsj.co.uk/news/legal/warnings-after-pct-data-protection-breach/5050004.article

Lawyers have warned of the legal limits on sharing information with
private companies when running preventative initiatives after a
primary care trust was found to have broken the Data Protection Act.

The Information Commissioner found NHS Bournemouth and Poole had
breached the act by passing patient information to a company it had
commissioned to carry out NHS health checks without patients’ consent.

Contact details of 3,700 patients identified as likely to benefit from
a cardiovascular health check were passed from GP practices to
Enhanced Healthcare Services. One patient complained after being
telephoned by the company.

In a report to last week’s trust board meeting, Bournemouth and Poole
interim chief executive Suzanne Rastrick said the ICO had upheld the
complaint and found that the first principle of the act, that personal
data shall be processed fairly and lawfully, was breached by the PCT.

She said the ICO had decided not to take any regulatory action on this
occasion “due to the information governance processes that the PCT can
demonstrate are in place” and because the PCT had agreed to write to
all of the patients who were contacted by the firm.

HSJ understands the PCT does have procedures in place but on this
occasion they were not followed.

Anne Crofts, partner at DAC Beachcroft, told HSJ the NHS had
“historically” worked on an “implied consent model” where there is an
assumption patients consent to their confidential data being used by
the team involved in the care episode the patient has initiated.
However, she warned there were “particular issues” with preventative
risk stratification exercises like Bournemouth and Poole’s.

“The difficulty arises here when the patient hasn’t initiated the
contact,” she said. “If the patient doesn’t know beforehand their
confidential information will be shared and how they could object you
can’t assume that consent is freely given.”

Mills and Reeve Associate Lucy Johnston told HSJ a solution would have
been for the GP practice to send out the letters on behalf of the
company inviting patients to contact the company directly.

“There is an increased sensitivity amongst patients around sharing
information with new and private providers (as opposed to NHS
organisations).  This requires careful thought and management,” she
said.

An ongoing review of the Caldicott principles of patient
confidentiality, due to report in March next year, is expected to
provide further advice and guidance on sharing information with
independent sector providers.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.