Lessons from the NHS Digital data breach: how to assess your organisation’s risk

NHS Digital, the national information and technology partner for health and social care, recently discovered that 150,000 patients’ data had been shared without permission. All of those affected were national data opt-out (previously Type 2 opt-out) patients registered with GPs who used TPP’s SystmOne software after 31 March 2015. ‘National data opt-out’ means that patient information should only be used for the purposes of individual care. In these cases, that information had also been used for clinical audits and research. The cause is said to be a coding error in TPPs’ application. The software developer has said it “apologises unreservedly” for the fault.

Jackie Doyle-Price, Parliamentary Under-Secretary of State for Health, said in her statement to parliament that in the aftermath of the breach being identified, NHS Digital will be writing to all TPP-using GP practices to make them aware of the issue and ask them to reassure all affected patients. The ICO (Information Commissioner’s Office) and the NDG (National Data Guardian) have been notified of the breach. NHS Digital highlighted that there is no risk to patient care as a result of the breach.

The breach highlights a potential flaw in the information security management of the GP practices involved, as the opt-out data did not meet the three criteria of information security: confidentiality, integrity and availability. Although little information is available on how NHS Digital plans to improve its practices in light of this incident, the statement to parliament does say that new arrangements are being put in place to give patients “direct control” over their data without the use of GP systems.

This incident also highlights how important it is for organisations to know what information security risks they may face, both within their organisation and throughout their supply chain. This is not the first breach caused by supplier failure, and organisations that do not understand how data is processed throughout their organisation and the associated risks are far more susceptible to a breach and less likely to be able to respond effectively, should an incident occur.

Data Flow Mapping Tool

With the GDPR (General Data Protection Regulation) now in force, data protection should be top of every organisation’s agenda. Any NHS data breach will be high-profile; as such, its customers (patients) will hear about the breach. Although this is bad publicity for the NHS, patients will still use its services, as most have no alternative.

If you are an organisation that depends on customer trust to generate revenue, the consequences could be very different. Beyond the GDPR fine (up to €20 million or 4% of global annual turnover, whichever is the greater), a data breach could mean bad publicity and losing the trust of your customers. This could have much greater impact on your revenue than just the fine.

You have to know where your organisation keeps its data, including with any third parties you may use to support business operations. A data flow audit should be a regular task within any organisation; the Data Flow Mapping Tool will help you understand your data assets.

Data Flow Mapping Tool – Simplify the process of creating data flow maps

  • Easy-to-use
  • Geared for repeatability
  • Logs personal data items
  • Generates data flow reports
  • Embeds data protection by design

If you want to know more about our Data Flow Mapping Tool, watch our teaser video >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.