Tag: Health

The Computer Says “No (you are dead)!” 

Yesterday the BBC reported that a Scarborough woman attended a hospital for a scan only to be told she had already died. Data Protection professionals will know that Article 5(1)(d) of the UK GDPR states personal data must be: 

“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)” 

In a shocking breach of this principle, Bridlington Hospital staff told Susan Johnson that, according to their records, she had been dead for four months. This led to her carer’s allowance, paid for looking after her disabled husband, being briefly suspended. 

What is also concerning is the lack of accountability. Neither Mrs Johnson’s GP Practice, the DWP, NHS England and Primary Care Support England (PCSE) have taken responsibility for the error.  

This case shows that data protection compliance is not a tick box exercise. Failure to comply sometimes has severe consequences for individuals.  

This and other GDPR developments will be discussed by Robert Bateman in our forthcoming GDPR Update workshop. We have also just launched our new workshop, on the EU AI Act and the UK Approach to AI Regulation.  

UK Hospital Trust Reprimanded for GDPR Infringements 

The University Hospitals of Derby and Burton NHS Foundation Trust (UHDB), was recently issued a reprimand (30/10/23) by the Information Commissioner for multiple infringements of the UK General Data Protection Regulation (UK GDPR). This decision highlights significant concerns regarding the management and security of patient data. 

Background of the Case 

UHDB, formed by the merger of the Derby Teaching Hospital NHS Foundation Trust and Burton Hospitals NHS Foundation Trusts in July 2018, operates five hospitals across various locations.
The infringement was initially detected at The Florence Nightingale Community Hospital in Derby. 

The issue revolved around UHDB’s handling of patient referrals for outpatient appointments. These referrals, containing sensitive health data, were processed via an electronic referral system (e-RS). The system, however, was plagued with a critical flaw where referrals would disappear from the worklist after a certain period, resulting in significant delays and data loss. 

Key Findings of the Investigation 

The investigation into UHDB’s practices uncovered several alarming facts: 

Data Subjects Affected: Approximately 4,768 individuals were directly impacted, with over 4,199 experiencing delayed medical referrals. The delayed response potentially caused distress and inconvenience to patients, some of whom waited over two years for treatment. 

Organisational Failings: UHDB was found lacking in implementing adequate organisational measures to prevent accidental data loss, especially concerning special category data. 

Inadequate Processes: The reliance on manual processes and email communications for managing referral drop-offs was deemed ineffective and insecure. 

Lack of Formal Oversight: There was no formal oversight ensuring the effective management and reinstatement of referrals onto the worklist. 

Absence of Risk Assessments: No risk assessment was conducted in relation to handling referral drop-offs, a measure that could have identified and minimised data protection risks. 

Remedial Actions and Recommendations 

In response to the reprimand, UHDB has taken several remedial steps, including conducting full internal and external reviews, contacting affected patients, creating a new Standard Operating Procedure (SOP), and introducing robotic process automation to reduce human error. 

The Commissioner recommended further actions for UHDB, emphasising the need for continuous support to affected data subjects, assessment and monitoring of new processes, and sharing lessons learned across the organisation to prevent future incidents. 

Implications and Conclusions 

This case serves as a stark reminder of the critical importance of data protection in the healthcare sector. It underscores the need for robust systems and processes to safeguard sensitive patient information and the potential consequences of failing to comply with GDPR regulations. 

UHDB’s commitment to rectifying these issues is commendable, yet the incident raises broader questions about data management practices in the NHS and the healthcare sector at large.

Information Governance in Health & Social Care Conference

capture-20141210-161914Act Now is pleased to announce that it will be holding a major conference in the new year on the 24th of March entitled ‘Health Now – Information Governance in Health and Social Care – Where are we now?’ Speakers from the ICO, many areas of the NHS, NADPO and Act Now will be meeting in Leeds to discuss the future of information governance and patient care.

If you work in information governance, records management, data protection, freedom of information, IT, compliance, information and compliance management, data & information management then this is for you. Over 100 delegates are expected from Local and Central Government, Health and Social Care and associated sectors.

To download your advance copy of the conference flyer click here. With a delegate fee of only £199 we expect a high demand for places. Book Now for Health Now! See our other courses for the health and social care sector here.