‘Alice in Wonderland’ ruling from the ICO

Frank Field MP has been left frustrated by attempts to use FoI to uncover alleged fraud at his local hospital.

Veteran Labour MP Frank Field has attacked the Information Commissioner for an “Alice in Wonderland” decision into his attempts to gain access to reports about alleged fraud in his local hospital.

Mr Field was tipped off about a doctor at the Arrowe Park Hospital, in Merseyside, using NHS resources to treat his private patients. He contacted the hospital who admitted there had been some ‘mistakes’ but refused to give him any more details.

The MPs attempts to get any more details were rebuffed by Wirral University Teaching Hospital Trust and eventually the matter landed up on the Information Commissioner’s desk.

Mr Field implies he managed to speed the case ahead of others by “writing a personal note” to the Information Commissioner - but the decision did him no favours.

The Commissioner ruled the Trust should not have confirmed or denied it had such information as it was sensitive personal data covered by Section 40 of the Freedom of Information Act.

A bizarre ruling when looked at from Mr Field’s view as he knows the name of the doctor - he included it in the question - and he knows of the existence of such a report, and he was told by the Trust the doctor had confessed to some mistakes.

However, the Commissioner approaches the decision from the “applicant blind” viewpoint and because the identity of the doctor is not generally known to release it via a FoI request would be a breach of S.40.

Here is the Information Commissioner’s decision [link] and here are Mr Field’s thoughts on the matter:

Beating fraud against taxpayers is difficult. I have been trying to get a proper investigation since September 2007 into an alleged fraud in the NHS.  

A constituent reported to me that they thought their doctor was using the NHS for private patients. I wrote to Arrowe Park hospital in Wirral against whom the alleged fraud had taken place.

In the November I was able to meet the senior executives at the hospital.

I was told at this meeting that the doctor had confessed to errors, and had allowed nearly 100 blood tests for private patients to be sent to the laboratories at Arrowe Park hospital under the cover that they were NHS patients. I was told at the meeting that the doctor had repaid these costs.

I asked to see copies of any reports the hospital had undertaken into this alleged fraud.

I also asked whether the hospital would extend its enquiries into other areas - such as scans and x-rays - to see whether the same mistake of presenting private patients as NHS patients had similarly occurred.

On both fronts Wirral Hospital Trust refused my requests.

In January 2008 I asked for this information under the Freedom of Information Act. After some time the Trust refused this application.

In July 2008 I went to the Information Commissioner who as we all know has done a pretty good job in policing and making this Act effective. The Commissioner is clearly overworked.

Nothing happened for ages. I then wrote a personal note to the Commissioner and only then was a caseworker appointed to my case.

Almost a year later the Commissioner wrote to me refusing my request. The reasoning was straight Alice in Wonderland stuff.

My request was refused because if I laid hands on these secret reports I would have personal information about the doctor concerned.

As the inquiries were looking into alleged fraud, by a doctor whose name I knew as I had referred the doctor to the Trust, this ruling must make the FoI Act a non-starter when efforts are being made to track down fraud against a body which is deeply uncooperative in helping that enquiry.

But worse was to follow. With the refusal came a note about the rights of appeal.

I have appealed against the decision although, given the Alice in Wonderland logic that no personal information can be disclosed, I am not holding my breath.

Worse still, the appeal letter told me I might be liable for the whole cost of the appeal. I therefore raised this matter before parliament rose for the summer recess asking the government to investigate.

I understand why costs might be awarded against an individual who has a record of bringing bizarre FoI claims. But that surely shouldn’t apply to reasonable citizens who are probably making their first application.

And should it apply to members of parliament? I would have had no interest in pursuing this case other than that public funds are at stake.

Was one of the aims of the Act to gag and blindfold MPs attempting to root out alleged fraud?

NHS losing yet more patient data

Carry on Data Loss?

Yet more NHS Trusts have been sent to the headmaster’s office for the slipshod way they deal with sensitive personal data.

This has been a recurrent theme this year and it would appear that the Information Commissioner is having a concerted push at NHS data security. Some might say it is like shooting fish in a barrel.

So far this year a total of 21 NHS executives in England have had to sign formal undertakings to promise to stick the letter of the Data Protection law.

The latest culprits are:

Surrey and Sussex Healthcare NHS Trust: A ward handover sheet containing the details of 23 patients was found discarded on a bus. Two computers, that were password protected, but contained the details of 80 patients were stolen from an area that was protected by three locked doors. Staff were said to have poor knowledge of the need to store data on network drives.

Royal Free Hampstead NHS Trust: A disc containing the details of 20,000 patients from the Cardiology department disappeared. The staff member responsible is said to have downloaded the data, of patients treated between 2000 and 2006 - but took five months to inform the hospital after the unencrypted disc disappeared. Where the disc is, how it was lost and exactly what it contains is unknown.

Hampshire Partnership NHS Trust: An employee attending a conference in London had their laptop stolen from the hotel. It contained the details of 349 patients and 258 staff. The laptop was not encrypted.

Epsom & St Helier University Hospitals NHS Trust: The Information Commissioner was brought in after a press report relating to the insecure handling of a  large quantity of patient records. An investigation found the records had been left in an room that was often unlocked after being moved from one site to another. Following a root cause analysis report by the Trust the Commissioner was still concerned the Trust appeared to have failed to recognise the staff training issues, equipment and resources factors, individual knowledge and skills areas, organisation and strategic issues and the question of culpability in respect of this breach.

Chelsea & Westminster Hospital NHS Foundation Trust: An unencrypted USB memory stick that held the personal data of 143 patients who attended a walk-in clinic at the hospital was stolen from an unattended and unlocked office. The memory stick belonged to the employee holding the clinic and was not password protected. The Trust employee was not aware that secure network drive and encryption facilities were available and used their own memory stick because Trust equipment was not available. It was also discovered that the Trust employee had used the memory stick and their own computer for home working.

More patient data going AWOL

Is that our missing memory stick?

The Information Commissioner’s Office (ICO) has warned another four NHS authorities about the way slipshod way they are handling patient data. All four organisations have signed undertakings to improve.

The public rebuke to the authorities comes hard on the heels of similar warnings to other health organisations reported here at ‘Password Blunder Blamed for Prison Breach’ and ‘Carers warned……

Mick Gorrill, Assistant Information Commissioner at the ICO, said: “These four cases serve as a stark reminder to all NHS organisations that sensitive patient information is not always being handled with adequate security.

“It is a matter of significant concern to us that in the last six months it has been necessary to take regulatory action against 14 NHS organisations for data breaches. In these latest cases staff members have accessed patient records without authorisation and on occasions, have failed to adhere to policies to protect such information in transit. There is little point in encrypting a portable media device and then attaching the password to it.

“Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them. Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands. Ultimately, the organisations risk losing the confidence of patients and their families.

“The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. These four organisations recognise the seriousness of these data losses and have agreed to take immediate remedial action.”

St Georges Healthcare, London. Six laptop computers were stolen from the hospital’s Cardiac Management Offices. The laptops held information relating to almost 22,000 patients including their name, date of birth, contact details, hospital number and brief details of the patient’s planned treatment. Due to network connection problems the patient data had been stored on laptops against the Trust’s policy and the data was not encrypted.

Cambridge University Hospital Trust. A car wash attendant found a memory stick which when plugged into a computer revealed it held data belonging to the Trust and contained personal data of 741 patients. The memory stick, which was privately owned and unencrypted, contained data relating to medical treatment and had been left in an unattended car by a staff member from the hospital. The data had been downloaded on to the memory stick without the knowledge of the Trust.

The North West Hospitals NHS Trust. Two laptop computers stolen from the Audiology department of Central Middlesex Hospital held information on 181 patients including their name, date of birth, NHS or hospital number and hearing test results. The data was not encrypted. In a separate incident a desktop computer was stolen from the Clinical Haematology offices at Northwick Park Hospital. That computer held information on 180 patients including their name, hospital number, date of birth and some clinical follow up information. At the time of the theft, the swipe card security system that controlled entry to the building had been disabled for maintenance. The database containing the personal data in question was password protected, but was not encrypted.

Hull & East Yorkshire Hospitals Trust. A desktop PC, containing details of 300 patients, was lost during refurbishment of the renal dialysis office and a disused laptop, which held the data on around 2000 cancer patients was stolen from a locked office. Both devices were unencrypted.

The individual undertakings issued by the ICO can be seen here.

Password blunder blamed for prison data breach

The missing memory card mysteriously vanished in the prison

Another health trust has been blamed for losing the sensitive medical details of its patients - this time the records of 6,360 prisoners and ex-prisoners which were put on to a memory stick.

The health trust in question - NHS Central Lancashire - has blamed the mistake on “human error”. Its report into the matter found that the memory stick was encrypted but the password was written on a note attached to the card.

The USB stick was being used to back up clinical databases at HMP Preston when it was lost on 30 December. Despite a search the stick has not been found.

NHS Central Lancashire said procedures on data security had not been adhered to but that it had now taken action to remind staff of their responsibilities.

Prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times and review dates were all included in the information.

An “immediate and urgent” review of data policies was undertaken to ensure consistency regarding the use of USBs after the incident, the trust said.

All data sticks across the PCT were recalled and staff were reminded how to handle personal and sensitive information of patients and employees.

The Trust’s chief executive Joe Rafferty said: “There was a failure in the system which led to this incident happening and we have taken steps to make sure this doesn’t happen again.

“We are pleased that the Information Commissioner’s Office has recognised the swift action taken by NHS Central Lancashire following the information security breach and that, as a result, at present no formal action will be taken.”

Editor’s note: Yet another example of a health trust managing to lose its patients’ data (see previous post ‘Carers careless…..). I suspect they will not learn until somebody sues them for it, and then they will realise there are financial implications to their incompetence. For an example of how even a relatively small health trust will try to spin the facts have a look at its press release (link). Please post any suggestions that the password might have been. Fletch? Porridge? Doh?

Foundation Hospitals operating behind “closed doors”

I have found some interesting articles written by the Birmingham Post’s health reporter in the wake of the controversy relating to two local hospitals in her area. She claims that the move from becoming a ‘normal’ NHS Trust to Foundation status brings with it a reluctance to be as open with the public as they should be. Her comment piece is reproduced below and this links to the original article. If you work in the NHS do you think Foundation Hospitals are less open than their counterparts who are NHS Trusts? Please post your comments.

AS a journalist reporting on the health service, I have found that coveted Foundation status has been a major pitfall of a changing NHS, writes Alison Dayani.

 It seems to have helped allow health chiefs to become more secretive and run hospitals without a usual level of public scrutiny. I feel its by-product has been to assist hospital executives in placing extra barriers against reporters exposing embarrassing failures and irresponsible actions. 

 There is no longer a full public openness of a service that is still primarily funded by you and me, the tax-payer.

 A veil of secrecy has come down on agendas, board minutes and other documents that were once al-ways held in public, openly questioned and made managers answerable to patients and relatives.

 Hiding behind the “commercial interest” loophole that allows meetings to be held behind closed doors, press officers no longer inform journalists of when trust board meetings are held and if I ask for minutes, I am directed to internet sites that make them hard to find or limited reports, with the most recent often more than a year old.

 I used to be able to wander into board meetings and be free to report whatever aspects of business they were discussing. There were numerous reports sent to me direct - governance, finance, nursing committees - that I could browse to understand the true state of the hospital.

 But Foundation trusts now rely on spin-doctors and communications teams who can be difficult in passing on the information you require, knowing that the alternative Freedom of Information Act allows them 28 days to reply and reliant on the journalist knowing exactly what document and specific information to ask for.

 They seem to have forgotten that the public funds their wages, pays the bills and has a right to know everything they do.

 A press officer at a non-Foundation city hospital with public meetings once moaned to me that it wasn’t fair her trust got more negative exposure as Foundation hospitals were “getting away with murder”, but problems were being kept behind closed doors.

 Unfortunately, it is that layer of secrecy that has now created a breeding ground for horrors such as Stafford Hospital - and the only ones that suffers are the public.

‘Carers’ warned over careless data losses