Password blunder blamed for prison data breach

The missing memory card mysteriously vanished in the prison

Another health trust has been blamed for losing the sensitive medical details of its patients - this time the records of 6,360 prisoners and ex-prisoners which were put on to a memory stick.

The health trust in question - NHS Central Lancashire - has blamed the mistake on “human error”. Its report into the matter found that the memory stick was encrypted but the password was written on a note attached to the card.

The USB stick was being used to back up clinical databases at HMP Preston when it was lost on 30 December. Despite a search the stick has not been found.

NHS Central Lancashire said procedures on data security had not been adhered to but that it had now taken action to remind staff of their responsibilities.

Prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times and review dates were all included in the information.

An “immediate and urgent” review of data policies was undertaken to ensure consistency regarding the use of USBs after the incident, the trust said.

All data sticks across the PCT were recalled and staff were reminded how to handle personal and sensitive information of patients and employees.

The Trust’s chief executive Joe Rafferty said: “There was a failure in the system which led to this incident happening and we have taken steps to make sure this doesn’t happen again.

“We are pleased that the Information Commissioner’s Office has recognised the swift action taken by NHS Central Lancashire following the information security breach and that, as a result, at present no formal action will be taken.”

Editor’s note: Yet another example of a health trust managing to lose its patients’ data (see previous post ‘Carers careless…..). I suspect they will not learn until somebody sues them for it, and then they will realise there are financial implications to their incompetence. For an example of how even a relatively small health trust will try to spin the facts have a look at its press release (link). Please post any suggestions that the password might have been. Fletch? Porridge? Doh?

Flight of fancy shot down by ICO

The CAA has responsibility for ensuring air safety in the UK

Two safety audit reports on a cargo airline should be released into the public domain despite pleas from the Civil Aviation Authority (CAA) that the documents should be kept confidential.

 

In a recent decision notice (link) the Information Commissioner’s Office ruled the CAA has incorrectly applied a S.31 (law enforcement) exemption to the information when a request to view the documents had been lodged under the Freedom of Information Act.

The original request, which was made more than two years ago, asked the CAA to hand over a copy of the safety audit report it had compiled on MK Airlines.

The CAA refused claiming the information was covered by the S.31 exemption in that its disclosure would be likely to prejudice its functions.

Basically the CAA said that it has responsibilities and authority under the Civil Aviation Act and the Air Navigation Act. It said that if the information were disclosed then other airlines and organisations it came into contact with would be less likely to co-operate and this erosion of trust would ultimately lead to the CAA being less likely to carry out its responsibilities properly.

However, the ICO rejected these arguments. Once again he reverted back to the Information Tribunal’s assessment of “likely to prejudice” from the decision of John Connor Press Associates v Information Commissioner (link) in which it was stated it should be a “real and significant risk” rather than a “hypothetical possibility”.

It said that the CAA had shown no clear evidence of the prejudice that it might suffer and that it was in the interest of airlines to co-operate with the CAA because they have to if they want to get a licence. The Commissioner also said that the CAA did not need the co-operation of the airlines but could compel them to provide information or risk losing their operators licence.

The Commissioner ruled S.31 was not engaged and did not even then go on to consider the public interest test.

He said: “The ability of the public authority to ascertain the competence of persons purporting to be airline operators or investigate and subsequently confirm the competence of current airline operators is embodied in the regulatory powers……

“It follows therefore that it is in the best interests of persons intending to become, or continue as airline operators to comply with specific requirements, and meet or maintain set standards.

“The trust and openness between the public authority and the aviation industry in this respect is one which is beneficial to both parties, and more so to airline operators or they risk losing their licence.

“In the face of the suggestion that disclosure could result in a lack of openess, the Commissioner is still not persuaded that this would be likely to prejudice the public authority’s ability to exercise its functions………. As noted above, the public authority could compel MK Airlines to provide it with the necessary information to enable it ascertain its suitability as an air operator or risk losing its air operator licence.”

Editor’s note: Once again a public authority found guilty for slapping an exemption on without any real thought of what the prejudice might actually be and how it might occur. The simple fact of the matter is that airlines HAVE to co-operate with the CAA if they want to keep flying. The fact these reports may now become public knowledge has the potential to embarrass both sides but that is not an exemption. This has important consequences for other public authorities, particularly police forces, who must show how they will be prejudiced if they want to apply an exemption.