A medical student was preparing a case presentation for the department in which she was working. She copied identifiable patient details onto her personal laptop and also kept a spreadsheet on her desktop with the names and clinical details of patients she had seen and the dates she had seen them. The laptop was password-protected, but her password was 'password'.
On Friday night she discovered that the laptop was missing. She realised that she didn't remember if she had her laptop bag with her when she got off the train that afternoon. Over the weekend she searched everywhere she had been but was unable to find the laptop. On Monday morning she telephoned the MDU advice line to ask what she should do.
The security of patient information, which is special category data according to the General Data Protection Regulation (GDPR), is very important. Anyone responsible for the information needs to apply security measures appropriate to the level of risk to the data subject (the person whose data is being collected, held or processed) if there is a data breach. The risk from data loss in special category data is high.
NHS Digital advises that staff can only use their own personal IT equipment for official purposes if they have been given permission to do so. They offer detailed guidance about what you need to do if you are given permission to use your own device to access identifiable patient data – including the use of passcodes, second passwords and remote wiping of data following a number of failed logins.
The GMC in its guidance on confidentiality states that a doctor has a responsibility to manage and protect information and to 'make sure any personal information about patients that you hold or control is effectively protected at all times against improper access, disclosure or loss'.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data.
Under new data protection legislation (GDPR and Data Protection Act 2018) certain personal data breaches need to be notified to the Information Commissioner. A breach of confidentiality of patient data is one of the situations where the ICO should be notified.
Patient data is considered likely to result in a high risk to the patient's rights and freedoms because of its sensitivity.
A notifiable breach must be reported to the ICO without undue delay but no later than 72 hours (not 72 working hours) after becoming aware of it. The patient/s concerned should also be told, since the breach is likely to result in a high risk to their rights and freedoms.
Under GDPR, the normal threshold for informing data subjects of a data breach is higher than that of informing the ICO, but patient data is considered likely to result in a high risk to the patient's rights and freedoms because of its sensitivity – so patients should usually be informed.
Failing to notify the ICO of a data breach can result in significant fines for the organisation involved, in this case the hospital trust.
The MDU adviser told the student to contact her consultant immediately to tell them what had happened, as it had been nearly 72 hours since she had discovered the data loss. The consultant would know the trust's process to inform the relevant people of the breach.
The adviser explained to the student that she should not take identifiable patient details out of the hospital. She should be careful even when anonymising data in cases where there was a very rare or unusual condition, as other information apart from name and date of birth could be pieced together to identify the patient.
Finally, the adviser suggested that the student might wish to inform the university of the data breach herself rather than wait for the hospital to tell them. The adviser suggested that the student should read the GMC's guidance on confidentiality and the relevant pages on the ICO website as part of her reflections on what had happened, so that she could discuss what she had learnt at her annual training review.