The University Hospitals of Derby and Burton NHS Foundation Trust (UHDB), was recently issued a reprimand (30/10/23) by the Information Commissioner for multiple infringements of the UK General Data Protection Regulation (UK GDPR). This decision highlights significant concerns regarding the management and security of patient data.
Background of the Case
UHDB, formed by the merger of the Derby Teaching Hospital NHS Foundation Trust and Burton Hospitals NHS Foundation Trusts in July 2018, operates five hospitals across various locations.
The infringement was initially detected at The Florence Nightingale Community Hospital in Derby.
The issue revolved around UHDB’s handling of patient referrals for outpatient appointments. These referrals, containing sensitive health data, were processed via an electronic referral system (e-RS). The system, however, was plagued with a critical flaw where referrals would disappear from the worklist after a certain period, resulting in significant delays and data loss.
Key Findings of the Investigation
The investigation into UHDB’s practices uncovered several alarming facts:
Data Subjects Affected: Approximately 4,768 individuals were directly impacted, with over 4,199 experiencing delayed medical referrals. The delayed response potentially caused distress and inconvenience to patients, some of whom waited over two years for treatment.
Organisational Failings: UHDB was found lacking in implementing adequate organisational measures to prevent accidental data loss, especially concerning special category data.
Inadequate Processes: The reliance on manual processes and email communications for managing referral drop-offs was deemed ineffective and insecure.
Lack of Formal Oversight: There was no formal oversight ensuring the effective management and reinstatement of referrals onto the worklist.
Absence of Risk Assessments: No risk assessment was conducted in relation to handling referral drop-offs, a measure that could have identified and minimised data protection risks.
Remedial Actions and Recommendations
In response to the reprimand, UHDB has taken several remedial steps, including conducting full internal and external reviews, contacting affected patients, creating a new Standard Operating Procedure (SOP), and introducing robotic process automation to reduce human error.
The Commissioner recommended further actions for UHDB, emphasising the need for continuous support to affected data subjects, assessment and monitoring of new processes, and sharing lessons learned across the organisation to prevent future incidents.
Implications and Conclusions
This case serves as a stark reminder of the critical importance of data protection in the healthcare sector. It underscores the need for robust systems and processes to safeguard sensitive patient information and the potential consequences of failing to comply with GDPR regulations.
UHDB’s commitment to rectifying these issues is commendable, yet the incident raises broader questions about data management practices in the NHS and the healthcare sector at large.