Addressing data protection - not just an IT issue

Scotland

Data protection and data security are all too often thought of as 'IT' issues because the huge technological advancements of the past 20 years have changed forever how organisations collect, manage, use and store data. However, the Information Commissioners Office's (ICO) recent investigation of the NHS emphasises the importance of care and precision when sending personal data using the old-school postal service.

Background

The NHS has come under fire from the ICO for sending a patient's sensitive medical details to the incorrect address. The information was sent to the patient's old house, despite the individual having notified the NHS of a change of address. The patient's address had been updated on the national care records service but staff had failed to reflect this change in the local patient database, ignoring the protocols that were in place. As a result, two letters containing sensitive personal data were sent to an old address of the patients. This data protection misdemeanour resulted in St George's Healthcare NHS Trust being fined £60,000.

Comment

The lesson here is simple – data protection breaches needn't be complex. Getting a customer's address wrong can ultimately lead to a loss of data and a fine from the ICO. From a public sector body perspective, it does not require a huge stretch of the imagination to envisage a client's financial details/personal information being delivered to an old address because details are not up-to-date. Practically this can be avoided by:

having procedures in place to routinely check customer data is up-to-date;
diligently and promptly recording any changes to clients details; and
if client contact details are held on several different systems, having procedures in place for the replication of changes across the systems.

In the event of a similar postal misdemeanour, the fact that it is illegal in the UK for an individual to open mail that is not addressed to them may offer limited protection of sorts, but it will not ultimately protect public sector bodies from breaching their data protection obligations and being on the receiving end of the wrath of the ICO.