Privacy Warning Over Medical Records


Campaign group says too many staff have access

Thousands of non-medical staff have access to confidential medical records, leaving the system open to abuse, a new report has warned.

According to the campaign group Big Brother Watch, which compiled the report, access to patient records in the NHS is "largely unregulated and fluctuates depending on staff turnover, access to the computer network and changing security clearance".

“In certain NHS Trusts, access to confidential medical records is provided to hospital porters, IT staff and those working in the finance department,” the report, called 'Broken Records', states.

Locally, Imperial College Healthcare NHS Trust, which includes Hammersmith Hospital, Queen Charlotte's and Chelsea and Charing Cross has 981 non-medical personnel who have access to patient records.

The Broken Records report adds that although it is illegal, under the Data Protection Act, to access medical records without good reason, there is currently no clear framework for tracking and auditing this. “Harsh penalties, training and hoping that staff are incorruptible is a flimsy approach to personal privacy,” the report states.

Big Brother Watch say the current system poses “significant privacy and data security risks”:
“The number of non-medical personnel with access to confidential medical records leaves the system wide open for abuse. Whilst Big Brother Watch has considered emergency, necessity and practicality concerns, we believe it is necessary to drastically reduce the number of people with access to medical records to prevent the high rate of data loss experienced by the NHS. The Government needs urgently to address the dire state of security around our medical history before it rolls out the Summary Care Record, granting access to hundreds of thousands of additional NHS staff across England,” said Big Brother Watch Director, Alex Deane.

However, a spokeswoman for Imperial College Healthcare said there were safeguards in place to prevent abuse: “We are one of the largest acute trusts in the UK and employ more than 9,000 staff. Around 10 per cent of our staff are non-clinicians who have some level of access to patient records, such as medical secretaries, ward clerks and records staff. This access is essential to their duties in clinic. All access to patient data is strictly controlled on a need-to-know basis, in line with national guidelines and the Trust policy.

“All staff, including those who have access to patient records, are legally and contractually obliged to maintain their duty of confidentiality to patients at all times. New staff must undertake confidentiality training following induction. Access to systems containing patient data is strictly controlled. Staff are individually accountable and monitored when accessing patient systems.”

According to Big Brother Watch, the NHS has a “long and uncomfortable history of data loss and security breaches”. The campaign group says that in June last year, it was reported that the NHS had lost more data in the first part of 2009 than the total amount lost by central Government and all local authorities combined.

The Broken Records report also expresses concerns over future plans for medical records, saying the Government’s National Programme for IT (NpfIT) which aims to create lifelong electronic health records for all patients, would be “very vulnerable to abuse”, while the Conservatives' proposals, which could involve handing over medical records to internet servers run by private companies such as Google and Microsoft are also said to be of concern: “Having already faced accusations of privacy invasion with their Street View programme, many will balk at the thought of handing over intensely personal information to a private company that doesn't face anything like the same scrutiny as a government body,” says the report.

March 30, 2010