back to article Reckless loss of laptop data? ICO calls for stiff fines

Information Commissioner Richard Thomas told the House of Lords this week that doctors should be fined up to £5,000 if they lose confidential patient data. Giving evidence to the House of Lords Constitution Committee, Thomas said: "If a doctor, or hospital [worker] leaves a laptop containing patients' records in his car and it …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Encryption

    Im not sure how most trusts work, but ours use an entire drive encryption technology. users have to log in with a username and password before getting anywhere near windows. Taking the drives out of the laptop and putting into another laptop to extract data would be friutless. The entireity of the drive is encrypted. It takes away the need for doctors and staff to encrypt valuable data. Why isnt this practise used everywhere? Using Citrix to publish word if patient letters are created? Surely if your not making adequate attempts to protect patient information you shouldnt be working for the NHS and your probably in breach of Caldocott.

  2. Paul Booth

    Just another soundbite

    The greatest number of leaks of personal information are acknowledged to come from the Inland Revenue, the Benefits Agency and the DVLC. Some years ago I tried to get the Data Protection Registrar (as she was known then) to investigate a blatent breach. An ex-copper who worked there told me on the telephone that my complaint would be frustrated and ignored, as they had a 'very good working relationship with all the Government agencies'.Data protection is important, but the current set-up works as a corrupt club. It is no surprise that they pop up now and again to make some noise and attempt to justify their budget.

  3. NRT

    Encryption is simple!

    Just scan in a doctors handwritten notes. If they are anything like their prescription forms, it will be impossible to read the data.

  4. Les Matthew

    @NRT

    "Just scan in a doctors handwritten notes. If they are anything like their prescription forms, it will be impossible to read the data."

    Wrong.

    My pharmacist can crack them in seconds. :P ;)

  5. Anonymous Coward
    Anonymous Coward

    Great

    So now companies will start hushing it up when a laptop goes missing...

  6. David Harper

    Why stop at doctors?

    One of the most appalling examples of loss of other people's data was the theft last year of a laptop from an employee of the Nationwide building society. The employee had personal data on several million customers, apparently for no better reason than to conduct market research.

    The ICO fined the Nationwide almost a million pounds, but since the Nationwide is a building society, that amounted to penalising the customers for the loss of their own data. That's not a deterrent, it's simply an insult to the customers.

    If the Information Commissioner were serious about this problem, he would propose that a company's chief executive and chief information officer should both be fined for the loss of customer data. A fine of one pound per customer whose personal data is compromised, should focus their minds on the importance of securing customers' personal data.

  7. Anonymous Coward
    Flame

    @AC

    Well, I'm pleased to hear that your trust scrambles their drives, but the introduction of a set of penalties might encourage more of them to Do The Right Thing. Frankly, having a laptop stolen which contains confidential information held in plaintext should get you sent to prison, as should holding it in plaintext and *not* having the device stolen. And this should apply to USB fobs, CDs, over the wire transfer, floppy discs, and *any* other sort of storage device.

    The offence is not having the data stolen, it's holding it in plaintext in the first place.

  8. John H Woods Silver badge

    I agree

    I always laugh at the 'sensitive military plans' going missing. Yeah, right. Only the plans that they want to leak out. But, as usual, the AC is right: if you must have confidential data on a system, use cryptography. Just don't lose the keys ...

  9. Alan Ferris
    Gates Horns

    Sauce for the Goose?

    So this means that Patsy will pay for leaking doctors private details through the MTAS website, does it?

    And this means that the minister responsible for the FCO will cough up for leaking thousands of details of Visa applicants through their website, does it?

    Or does the word "responsible" have a different meaning when it's the government involved? I wonder if I can find out under the Freedom of Information Act... What do you mean that FOI doesn't apply?

    We are all doomed

  10. Brian Murray

    laptop/desktop addiction?

    Absolutely the lack of encryption/localised security should be addressed here ... you cannot delegate responsibility to the users without available commodity (e-)solutions (which we may well see emerge in the future but not now).

    However, I am perplexed by our cultural addiction to localised data (whether on a laptop or a desktop). Surely the first focus should be to ensure as much data as possible is centralised and only access over centrally controlled network security. If you can access your session anywhere/anytime, why would any localised data be required! .... Access, even where local and/or encrypted, should then rely on a smart card/token system such that the laptop alone is useless (and even with the card/token still needs access code/password).

  11. Stephen Jackson

    Paul, are you psychic?

    http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm

    I think this backs up Paul's post quite nicely....

  12. Dave Brooker

    Human error is unavoidable

    All the above points are very salient but the reality is that human error occurs no matter how stringent an organisation's policies are. Tools to stop access to sensitive data are all very well but the really smart baddies will get round them.

    Also, all the comments talk about customer or patient records as sensitive data but these are the crown jewels. Any laptop, professional or personal will have something on it that will be deemed to be sensitive, perhaps an e-mail or even a letter to a client confirming the contents of a meeting.

    Far better would be to accept human error and adopt tools that react to them. If a laptop goes missing why not wait for it to wake up and then delete all data on it, as it boots. By the time the crook has got past the password he is confronted with a blank PC. The organisation that lost it has a report confirming the delete, where and when so there is no need for fines and negative publicity can be avoided.

This topic is closed for new posts.