CCGs will be data controllers. They are likely to hold sensitive personal information in connection with tens of thousands of patients. Are they ready for the data security challenges this will bring. And are they aware of the massive financial implications of getting it wrong? If anyone involved in a shadow CCG has yet to focus on this issue, the following news may help!
In September 2010 over 200 computer hard drives were stolen from Brighton General Hospital. These drives contained confidential information regarding thousands of patients. Brighton and Suffolk University Hospitals NHS Trust had subcontracted the destruction of these drives to a registered contractor. When they appeared for sale on Ebay the Trust called the police. Each and every hard drive was recovered. The police did make an arrest but no-one was ever charged with an offence.
The Information Commissioner's Office response to this even - They intend to fine the Trust (whose property was stolen) the sum of £375,000. The Trust's Chief Executive has stated that the Trust was the victim of a crime and that it will contest the fine having done everything by the book. He points out that that the intended sum would pay for 30 heart bypasses 360 courses of chemotherapy or 3400 A&E attendances. Many of us will await the outcome with keen interest.
The likelihood is that the size of the fine is the ICO's response to a sector that it feels has simply not got to grips with data security. In short this is intended to be a deterrent to the whole health sector. In its Information Rights Strategy published last November the ICO identified the health sector as its number 1 priority. Explaining why the health is being targeted a spokeswoman for the ICO said we have seen a lot of data breaches in that sector.
Whatever we might think of the size (and the sense) of the fine the message is clear. Current and future health bodies must have data security policies that are robust up to date and actually followed.