Index  ›  world  ›  BBC
world · BBC ↗

NHS worst for data breaches - Information Commissioner

BBC Published Apr 28, 2010 Reviewed Jul 3, 2026 ✓ Reviewed by citations.press editors
Citation-ready fact
The NHS reported 287 serious data breaches to the ICO since the end of 2007, accounting for more than 30% of all breaches reported.
287 breaches · NHSmore than 30 % · NHS breaches
View source ↗
Citation-ready fact
113 NHS data breaches were due to stolen data or hardware.
113 breaches · stolen data or hardware
View source ↗
Citation-ready fact
The NHS is the UK's largest employer with 1.7 million staff.
1700000 staff · NHS
View source ↗
Citation-ready fact
The ICO introduced fines of up to £500,000 for serious data breaches in April.
at least 500000 GBP · fines for serious data breaches
View source ↗
Citation-ready fact
Data breaches cost companies, on average, £67 per piece of data lost.
67 GBP · cost per piece of data lost
View source ↗

The NHS has reported the highest number of serious data breaches of any UK organisation since the end of 2007, the Information Commissioner's Office says.

David Smith, deputy commissioner at the ICO told the Infosec security conference the NHS had highlighted 287 breaches to it in the period.

That accounts for more than 30% of the total number reported.

The NHS - the UK's largest employer with 1.7m staff - is in the process of rolling out digital patient records.

Most of the breaches (113) were the result of stolen data or hardware, followed by 82 cases of lost data or hardware.

Mr Smith said the problems were not confined to the public sector and that results could be skewed because the public sector has a culture of reporting all breaches whereas not all private sector firms did.

Richard Vautrey, the deputy chair of the British Medical Association's GPs committee thinks the number of breaches reflect the size and complexity of the NHS as well as its culture of openness.

"So many people have access to data and often human error is to blame. There is an increased attempt to be open and honest about what happens to data," he said.

He added that he was not aware of a specific case where a data breach had affected patient privacy or care.

"We need to keep their breaches in perspective," he said.

As part of its plans to digitise patient records, the NHS is asking patients if they want their data stored on national databases. It is important that people are given the chance to opt out, said Mr Vautrey.

Currently the reporting procedure for data breaches in the UK is voluntary although the ICO is "moving towards" a compulsory system.

In April the ICO introduced fines of up to £500,000 for serious data breaches.

The European Union's Telecoms Package requires telecom firms to report data breaches and Mr Smith said he expected this requirement to expand beyond telcos.

Data encryption firm PGP welcomed the tough new approach to data security.

"Finally the ICO, which has long demanded greater powers, will be able to severely punish those in serious breach of the Data Protection Act. For too long, organisations have continued to ignore the warning signs - risking both the privacy of their customers and the reputations of their brands," said Jamie Cowper, European marketing director at PGP.

He anticipates "severe fines" for the next private sector company to be involved in a serious data breach although he does not imagine the ICO will pursue the NHS.

PGP calculated that data breaches cost companies, on average, £67 per piece of data lost.

This article was originally published by BBC ↗. citations.press indexes the source-backed facts above and links to the original. Something wrong? Corrections policy · Report an error