Earlier this month, CSW reported that the rate at which the NHS is losing data has doubled over the past year. Since then, the Information Commissioner’s Office has published ‘undertakings’ agreed with two guilty NHS trusts, in which the trusts promise to tighten up procedures.

The commissioner’s move is designed to draw attention to the issue; the ICO has published one other undertaking since the government came out of purdah, and 20 undertakings since January 2008 – out of 290 data breaches in total.

The two latest undertakings were agreed with NHS Stoke on Trent Trust and Basingstoke and North Hampshire NHS Foundation Trust, but it isn’t clear why the trusts have been singled out. Although the breaches were significant – in the case of Stoke on Trent, 2,000 records were lost in a single incident – they are not obviously more serious than other recent incidents. The Stoke incident involved the disappearance of paper records which have apparently been misfiled or lost, while in Basingstoke and North Hampshire data was emailed through a non-secure system.

The Information Commissioner, Christopher Graham, told CSW that the trusts have been named to publicise the problem of data loss. He is “concerned about data breaches in the public services,” he said. “The NHS is clearly the largest [public sector] organisation, and they need to get the message along with everyone else.” He added: “I’m confident that we’re doing what we should be doing to raise the profile of the issue.”

The biggest worry for NHS trusts in the latest data is the large increase in the number of data breaches caused by theft. While in 2008-9 there were 42 cases of stolen data, in 2009-10 77 breaches were caused by theft. Graham told CSW that there is a “crime issue – but things do get stolen, often from locked and secure computer stores.”

To tackle the problem, he said, his office is working to ensure that organisations train their staff and keep data secure. Information on laptop computers must be encrypted in case they are stolen, he said; and only fake data should be used in training exercises.

Even in a good organisation, Graham added, individuals “can go rogue. You need to deal with individuals as well as with organisations. Sometimes individuals get persuaded that they ought to part with data in their safe keeping. That is crime; it’s not simply to be laid at the door of the organisation’s data regime.”

The full data on NHS data breaches, released to CSW, shows that there has been a drop-off in reported incidents in the last quarter, and in the number of thefts reported. This may be a blip, but it does correlate with the introduction of a new penalty which the information commissioner can use to ensure that public bodies take data loss seriously.

Since 6 April this year, the ICO has been able to fine organisations up to £500,000, using a ‘civil monetary penalty’. “We’re not trigger happy, but we’ll use this power – which is the most serious we have – where there has been a dereliction of duty and a serious message needs to be sent,” said Graham. “It’s only a matter of time before somebody gets fined.” He added that “we have to use the powers that we have in a focused way. It’s not a blunderbuss; it’s an Armalite rifle.”

Meanwhile, the ICO is likely to continue embarrassing erring public bodies by publishing undertakings. The former information commissioner, Richard Thomas – now a consultant at Hunton & Williams, and the chair of the Administrative Justice & Tribunals Council – commented that the ICO has to strike a difficult balance in deciding whether to publicise these agreements. “On the one hand, notifying the general public is important: it puts pressure on people to take care of the data in the first place, and indicates where accountability has not gone right,” he said. “On the other, if there’s a large volume [of published undertakings], you can create a sort of yawn factor with a large number of very small incidents.”

However, he highlighted the importance of pushing for progress on data security. “At the moment, where we’ve been in the last few years with data security, the more transparency the better,” he argued. “I’m not terribly impressed with the argument that we don’t notify people because it might alarm them. The most important people in this are the patients; we can’t say we can’t tell people because it might alarm them.”

As well as introducing these sticks, the ICO is trying to make it easier for data protection officers to comply with the law by providing guidance. According to a spokesperson for the Department of Health, the NHS is doing the same: “We have set clear standards for NHS organisations to adhere to on data handling, and have issued guidance that sets out the steps they must take to ensure records are kept secure and confidential.”

There’s another aspect to this, points out Christopher Graham: the rise in reported losses may simply show that staff are taking data loss more seriously, and reporting more of the breaches that occur. “One hopes that there is an improvement in procedures and one symptom of that may paradoxically be an increase in [reported] breaches,” he said.

So, might the ICO be penalising NHS trusts for improving their data handling practices, and thereby revealing the true picture of how much data is being lost each year? Well, reported NHS breaches have been rising faster than other parts of government, so this argument assumes that only the NHS is improving its data handling procedures. And Graham suggests that his intervention is targeted at a poor performing sector: “We don’t just go slamming a fine on an NHS trust just because they report a data breach,” he says. “We get reports from other sources as well; very often patients.”

It seems that the ICO will have to keep up the pressure on data loss. After all, the rise in reported losses may simply be giving us a clearer picture – but the picture that we’re getting is certainly not a pretty one.

Written by Joshua Chambers, CSW