NHS data loss – Legal Babble

My mother is a geriatric and has a series of medical issues. Therefore I need to organise her appointments etc. for her.

Without any political axe to grind here’s what’s happened over one day in my involvement with either the NHS itself or organisations it subcontracts to.

Expensive, incompetently managed and the cause of endless inconvenience.

One.

Continence nurse arrives 20mins late. Actually about four months late we requested a referral in May but the GP surgery failed to pass the referral on.

Consequently we’ve struggled on since May managing the condition on our own with occasional non-effective chase-ups of the practice.

Two.

Letter arrives from subcontracted provider. They want to do an ophthalmologist appointment by telephone. How they’ll be able to spot anything wrong with her eyes by hearing her voice is a mystery.

The letter also insufficiently explains the reason for the appointment and why it’s been requested. Half an hour on hold waiting to speak to the provider to establish need and purpose of appointment.

Three.

Her medication is delivered from the pharmacy.

This is after calling yesterday and being told they don’t accept repeat prescription orders on a Sunday. Guess what? That’s right. Not all medication has been delivered.

Call to pharmacy. Surgery has stopped the repeats on a vital tablet she takes three times a day.

Call to surgery. 40th in queue. They can’t understand why the tablet has been taken off repeat prescription but should be able to get her some more. By Wednesday.

Four.

She’s due a hospital out patient appointment tomorrow but this has been cancelled around 3.30 today. Have to then also cancel patient transport booked one week ago, which was a 45min call on its own.

Ring the hospital as the message was left with my mother who didn’t get all the details needed.

First few times it rings for a while then cuts off. This is standard for the hospital we deal with. Then get through to the wrong person who transfers me back to switchboard.

Finally get transferred to the right department. They clearly don’t like speaking to the public as there’s a voice message encouraging you to email them on an address no pensioner would be able to take down in time or likely spell correctly. Therefore still none the wiser about why the appointment has been cancelled or what happens next. No call back received.

Time taken overall: 3hrs

Cock-up’s occurred: Arguably 3-4

Patience: Exhausted

It’s the poor or non-existent communication that I find most irritating. That the patient’s representative or carer is left to chase up everything as nothing is explained in advance nor are the reasons for things happening. The experience of the NHS is therefore that you suffer the error first, then need to chase it up long before you gain the benefit of any service provided.

Brief post for today. Well a brief post by the standards of this blog!

In yesterday’s blog post one of the themes touched upon was how The Ministry of Justice had sent data in error to a third party. This was a serious breach of the data subject’s rights and potentially quite dangerous to the data subject as MoJ shared the subject’s name, address, date of birth and financial details.

The post discussed the attempts The Ministry of Justice made to get back at the accidental recipient of this data which included a false complaint to police to ensure he was arrested, although fully aware police would not be able to bring charges as no offence had taken place.

Elizabeth Denham, UK Information Commissioner

The Information Commissioner’s Office (ICO) is a quasi-Governmental organisation reliant on public funding. Their stated aim is to enforce data access rights of people in the UK and also to adjudicate on data protection issues: in other words to monitor that your personal data held by companies and Government organisations is kept safe.

So we can naturally expect ICO to fully comply with data protection legislation and be extra specially careful with their own handling of other people’s data.

Can’t we?

In a delicious piece of timing just after I’d written yesterday’s blog post about The Ministry of Justice emailing data to the wrong person ICO go and do the same by sending a letter in error to me which was intended for a third party, just like the error MoJ made!

I have of course deleted the email address of the intended recipient of this letter.

It seems that Dacorum Borough Council also suffers from the problem of email incontinence as they appear to have sent the intended recipient of the ICO letter some information despite claiming an apparent exemption over the data sent!

The ICO letter states:

I am aware that the council inadvertently provided you with the requested information.

Significantly the letter also states the grounds for the council attempting to withhold this data (but clearly not managing to) were under section 31 – that is a claimed exemption from disclosure as the data is related to law enforcement.

One might hope the ICO takes appropriate action against itself for this data breach.

In all honesty I wouldn’t hold my breath.

ICO’s present logo. Strange use of lower case letters and an inappropriate full stop.

Like many of the UK’s regulatory bodies such as The Parliamentary and Health Service Ombudsman or The Local Government Ombudsman the ICO has selective blindness in relation to even large scale and ongoing breaches of GDPR and The Data Protection Act.

Ultimately the best most complainants can hope for is a letter from the ICO informing them that their complaint has been upheld and that ICO will keep a record of the data protection concerns logged regarding the data controller complained of. This does not of course produce the data that has been requested! Occasionally ICO will assist by instructing the data controller to supply data if it is being clearly withheld. However if the data controller is sufficiently obstreperous there exists enough “trapdoors” in the relevant legislation that a (often misapplied) exemption will be used to avoid supply of the data.

The efforts organisations used to evade production of data include the mishandling of applications such as considering a subject access request for personal data as if it were a Data Protection Act request and so rejecting it without giving sufficient grounds to the requester. A further trick is to label everything as the personal data of a third party and thus exempt from disclosure: on this basis large scale parts of any data disclosed can be redacted (meaning blanked out).

In these circumstances ICO becomes like a turtle placed on its back: it spins around to no real effect.

Let’s look at the wider picture. A key thing to recall about most of the non-departmental public bodies supposed to supervise how the law or organisations work in Britain is that they rarely do. These supervisory bodies often exist instead to confirm the decisions made by the lower organisation or as a way to diffuse complaints safely and without litigation. Having said this ICO is better than most and does occasionally pursue misconducting organisations through the courts. But due to the pressure of time and resources they also habitually pursue only those organisations who have committed a blatant breach of the law which has been made public, or who would be less likely to defend themselves in court and thus drive up ICO’s expenses. The majority of the fines issued in successful judgments are not paid.

One example of this willingness to turn a blind eye on the part of ICO: a 2017 significant data breach by the NHS involving some 50,000 patients medical records – the largest loss of data in NHS history – was not prosecuted by ICO. This is a matter I will comment on in detail in a blog another day.

Tag: NHS data loss

One Day With The NHS

The ICO: Keeping Your Personal Data Safe?