A REPORT on data protection at GP surgeries highlights good overall practice but also failings in some areas including incident reporting and disposal of records.
In 2013/14 the Information Commissioner’s Office (ICO) carried out advisory visits to 24 GP surgeries in England and this week issued a report on the findings. Most of the surgeries tended to have good data protection policies and awareness of key issues such as data security and patient confidentiality. But the report also highlighted areas needing improvement, including an appreciation of the need to report data breaches.
The authors commented: "Procedures were always in place to log serious and untoward incidents, but IG incidents were rarely distinguished. It is only through the thorough reporting of incidents that regulators can properly support organisations encountering incidents and help avoid repeats. As such, failure to report a breach is one of the factors taken in to consideration by the ICO when assessing monetary penalties."
Improvements were also suggested around faxing and the risks posed by unrestricted internet access. Several surgeries allowed staff to access personal email addresses with the risk of data leakage, hacking and viruses.
In regard to records disposal, the ICO found: "Surgeries were aware of standard NHS guidelines and timeframes for records retention and disposal, but there was a general lack of specific local procedures or protocols to review files and meet these standards. In some cases, in-house shredding of confidential waste was not effective with backlogs of files for disposal, and the volume of waste to be shredded was potentially more appropriate for a specialist third party contractor."
The ICO also highlighted security issues in regard to the use of USB sticks and other portable data devices. "Unsecured USB ports still created a risk of unauthorised removal of personal data using portable media or the introduction of malware and viruses to the network. Similarly in some cases local desktop C: drives could allow data to be saved on equipment and DVD/CD drives were enabled."
Lee Taylor, ICO Team Manager in the Good Practice team, said: "The NHS processes some of the most sensitive personal information available and data breaches at GP surgeries can have significant repercussions for the individuals affected. But we were broadly pleased with what we saw during the advisory visits. Having the right policies and procedures in place is the backbone to good data protection and the GP practices we visited tended to have these.
"The findings are particularly important as the NHS has been undergoing a period of considerable change. We hope GP surgeries use this report to review their procedures for handling personal information at their own practice; this can only be good news for patients."