There's more to this story than meets the eye
My first reaction to the headline was "at long last, somebody's been held personally liable for data loss" but reading earlier comments has made me reconsider my bloodthirsty attitude.
It's clear, in a fuzzy, foggy, vague sort of way, that there is no established protocol covering the use of what, for lack of a better word, we can call "confidential data." By this, I mean an established, universal protocol applicable to enterprises of all sorts, not just the Colchester Hospital, the NHS, or medical operations in general.
Such a protocol might include, for example:
1. Stipulation of a confidentiality level for every data item on file. Names, DOB, ID numbers, telephone numbers, addresses would be among the more highly confidential items.
2. A need-to-know policy that relates all uses of data to the confidentiality level. For example, if a statistical study is carried out, none of the highly confidential data would be available. But note, otoh, that an office receptionist must know names and telephone numbers, among other things.
[PS: points 1 & 2 are written vis a vis medical records. In the business world, proprietary data would also be of the highest confidentiality, but would also have to be available for some statistical analyses.]
3. Universal provision of server space so data is never stored on a laptop or desktop system.
4. A review of this insane idea that one is on the job 24/7/365. Let's have a one-to-one correspondence between hours in the office and hours of work, no work outside those hours at all. IOW, no work at home, while commuting, while on vacation, etc.
5. Hardware solutions like diskless systems, blocking portable storage devices, no individual burning of CDs, etc. Alternatively, if a local disk is essential (not merely something a Big Boss craves), rollout of new machines should include installation of full disk encryption
This is the merest skeleton of such a protocol; I'll leave it to the more highly tuned brains of others to flesh it out in detail and turn it into a viable standard. [And yes, I've repeated points made in earlier comments. No claim for originality.]
The barriers to estabilshing such a protocol and to its implementation are two-fold. First of all, the existing standards mechanism such as the ISO is beyond clumsy and awkward, being a committee effort. I almost have more faith in the one-man RFC than the ISO approach to the formulation of standards.
Second, management are meatheads. Management ranks in many, perhaps all, enterprises of all sorts, are filled with those who have reached, and in many instances risen above, their respective levels of incompetence. Perhaps the only solution is to stipulate that organizational heads are personally responsible, and it's up to them to ensure that the managerial ranks under them fully understand and buy into such standard protocols. IOW, if you are a CEO and not a meathead yourself, you'll have to get rid of the meatheads under you. You can always put them to work swabbing out toilets. Boards would have to be responsible, at risk of dismissal, for ensuring that their CEO isn't a meathead himself.
This second barrier is more severe than it might seem. My own experience is that once an idiot manages to weasel himself into the ranks of management, he becomes an untouchable: no matter what his failures and misdeeds and incompetencies, he will never be fired, not even demoted.
Apologies for an overly long, rambling comment. I hope it provokes further thinking by the tribe of El Reg readers.
Too bad there's no "won't shut up" icon for longwinded screeds like this one. Ballmer will have to do.