The Information Commissioner’s Office (ICO) website is always a fascinating
read. He is the guy who you complain to if someone misuses your personal
information. He also deals with appeals to get information, when some
organisation has information about you but won’t tell you what it is. He also
fines organisations quite big money if they lose your data. There's little mention recently specifically of data on older people, but that doesn't comfort me.
The regular flow of fines of health and social care authorities suggests that nobody much in health and social care has bothered much to set up good data systems about vulnerable people. There are regular disclosures of information about children in care (as it used to be called - being 'looked after' or safeguarded is the current jargon) and medical records, so I don't suppose people in health and social care have good systems for the confidentiality of older people's data either. I suspect there may be it's another form of age discrimination: they're only old - there's nothing much important to keep confidential. I don't suppose it's evil intent, it's more being casual because you;re used to dealing with loads of this stuff every day.
This month, the ICO fined Torbay Care Trust £175,000 because they
published confidential details about their staff on their website, details like
the sexual orientation (that means whether they were gay or lesbian or
something else), religion, ethnicity (race to most people but ethnicity is the
technical word) and disability. They did this for 19 weeks, would you believe,
until someone noticed.
But you don’t get fined just for doing something crass like
this. To get fined you have to have really not bothered. Like Torbay. They had no procedures to check for releases of information, no
initial or update training for your staff and so on. Lots of health trusts and social
services authorities do things like this, because they have so much of our data in their records that it all seems sameish. But to us, it could be really important.
One breach that probably will affect older people is the Central London Community Healthcare (CLCH) NHS Trust which was fined £90,000 earlier this year for faxing medical information from its palliative care unit (which deals with dying people) to the wrong number.
Last year, Powys County
Council sent details about a child protection case to the wrong person. It
seems reports were sent from a computer to a printer that was shared by several
people and the reports on this child got mixed up with someone else’s report
and sent to the wrong person. You can be see it would be easy to do. But, this was the second time Powys social services had
done this, so, even after a warning, they’re obviously not working at it.
It really needs constant attention to detail: the detail about how our records are kept.
Earlier this year, Belfast Health and Social Care Trust was
fined £225,000 for keeping old records about patients and staff in a disused hospital, with poor
security, and not destroying records in accordance with the rules for getting
rid of records when they are no longer needed. And Brighton and Sussex
University Hospitals NHS Trust was fined £325,000 for allowing hard drives with
data about patients HIV and genito-urinary condition to be sold off on the
internet.
There are several other reports about health trusts and
local social care services. None are specifically about information about older
people going missing or being wrongly used. This fact does not give me a sense
that everything’s alright with older people’s records, though.
Just to show that keeping our data secret is not rocket science,
the Information Commissioner has recently published five tips for charities like
Age UK who are handling our data. The advice is stunningly obvious, and the
fact that they bothered to publish it at all suggests that we all ought to
worry more about how organisations that are supposed to help and care for us are
using our information. Here is the ICO's five top tips for keeping information confidential:
Link to information about the guidance of charities and voluntary organisations.1 Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.2 Make sure your staff are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.3 Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.4 Encrypt all portable devices. Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.5 Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
No comments:
Post a Comment