Oh so it's _old_ data? That's fine, I don't mind people knowing that I used to be a borderline psychopath on eight different drugs (plus the two for my STDs)
[Anonymous cos actually I do mind really...]
An NHS trust has told patients that it is acting to improve its data handling practices after a rebuke from the Information Commissioner's Office (ICO) for losing a CD containing details on 1.6 million people. Chief executive of NHS Kent and Medway Ann Sutton said that information is now more secure following the …
Judging by the note from the relevant parties, that shouldn't have been distributed. Apparently it was only(!) names, DOBs, GP details and NHS number, which means that unless whoever has said CD can also get hold of other details, very likely they can't do a lot with it.
Unless reception staff haven't been told basic DPA procedures and that they don't ask for details about you that won't be from the above... oh wait...
All the time the excuses keep coming the more likely the next cock-up is simply seen as another silly mistake, "Doh, oh those naughty offcie staff and their silly ways!", until they lose something of serious value.
So what if it's old and pretty much anonymised, what happens next time the dingbat who lost this stack of info, loses something that is actually worth something to someone? This pillock and his managers need to be pulled up over this, next time it could be another list of at risk kids or domestically abused spouses that goes walkabout. All they get is a strongly worded letter from the ICO and a warning to "Not be so naughty next time!", not going to ensure they think twice before burning a copy of the patient register to a DVD.
According to the Guardian they are worried about people being able to hack their network. Which makes me wonder when they read the data on the CD the computer they are using is on the same network. Anyway the NHS is full of "Stakeholders" who have little knowledge of IT so its the blind leading the blind.
"Sutton added: We have already strengthened our information governance policies, procedures and training on the basis of our internal investigation of the incident. The information commissioner's recommendations to improve them further will be implemented fully."
How many more times are we going to hear this meaningless rubbish about "learning lessons"?
Yet again the NHS has repeatedly demonstrated that it is incapable of handling sensitive data.
(AC 'cause I work for the NHS)
Time and again I've been allowed to leave NHS sites with 'failed' mirror disks from servers that have easily recoverable data, I'm trusted not to pop them back into a server and force them back online or otherwise recover data from them.
Fortunately for the trusts I visit, I don't and we operate a secure destruction policy but if there was the will...
Now I know assumption is the mother of all f*ck ups but I'm gonna go right ahead and assume you work for some third party service provider and that this service provider is legitimate and that they have a formal agreement with the customers they work for. I'll also assume that if you were to do anything illegitimate pertaining to those provided services you'd find yourself in a similar position to Private Manning but without the media attention, political sensitivity or legal backing from anywhere...so, good luck with that.
"Ooh" said the NHS executive to himself "I've got a great idea, why dont I set up a taxi fund for patients, set a direct debit up into it, tell no one else about it and then keel over with a fatal heart attack.. That'll give the auditors something to do in 3 years time... I'll call it the where's the missing million game..." *evil grin*
Or how about employing 4 people at £100 a day to sit in the cafe, because not one of the current IT "gods" had the remotest idea how to unlock the machines user policies so they could be updated with new anti virus. You guessed it, the guy who did the policies had since left.
Thats just two examples of ONE NHS trust that I worked for - let alone the "heres a list of the drugs she cant have" debacle that cost my grandmother her life. But then, you'd give a person morphine for a chest infection right?..
Three examples of just one of the many trusts in the UK.
I find the "but its old data" comment a total load of crap. People dont change birthdates, they often live in one place for most of a life time. How is that old data?
Then there's the potential for blackmail and company abuses. You were on antidepressants, you're unstable, bye bye promotion. The fact that you were on them because you were the sole survivor of a car crash that wiped out your family.. Irrelevant (the fact that people have been put on a/ds for this very reason beggars belief).
There is a way of solving this. Use a simple device with a dual function. Design a wristwatch with a damn big memory store and a usb connector. Distribute accordingly. In my entire life I have lost a watch the grand total of once. Its been done before, the Onhandpc (640kb ram, 3mhz processor, DOS, PIM and a working spreadsheet of all things) or the WristPDA that ran Palm OS 4.1. I have both and I still have them, yet I've managed to lose 2 meter long snakes while being in the same room & have spent countless hours chanting the mantra "where are my f*#king keys" and missing buses by 30 seconds as a result.
This is not a difficult problem to solve, so why are we mourning the loss of our data and doing bugger all to suggest ways of securing it?
Genuine sympathies btw. I've been there myself.
In defence of morphine, it's not a precision weapon, and it is extremely potent and thus is not risk free.
With my own circumstances, I was actually glad the morphine did it's work; my aunt had suffered for years in crippling pain with terminal lung cancer. I suspect many other relatives of terminal patients are also glad of it's 'undesired' effects; it does at least allow the patients 'on the home straight' to pass away pain-free.
I could claim - controvertially - that in some cases the doctors and nurses will have a good idea which side of the risk equation a specific patient will be on when they administer it. When my time comes, and if I'm riddled with terminal cancer, I hope I get one of those doctors.
Morphine is indeed collateral-tastic (apparently recent studies indicate it helps the spread of cancers ironically by increasing the proliferation of blood vessels). However a doctor being handed a list of a patients allergies, with morphine at the very top, after the nurse on the case has looked at the list and *added* additional probable problem drugs. Then the doctor over rules the nurse and injects said patient with Morphine....
She was dead within 20 minutes. From being able to walk into the hospital unaided to being dead - thats pretty effective incompetence even by NHS standards. And thats not to mention the situations I have found myself in. We need to take bloods from your wrist, I swear there would have been less swelling and damage if the person had taken the blood with a shovel. As it was I collapsed in the middle of the ward and ended up on oxygen. Not good.
And I reckon I've lost at least a dozen, at least two of which are under 60 feet of water at a certain Thames water reservoir and might just get picked up next time they drain the reservoir for maintenance... Universal solutions are pretty much impossible.
... are that if you do something wrong, nothing happens in the uncivil service.
Unless the "lessons learnt" are: "You make a serious mistake with people's personal information = you get fired" then there will be no reason for these complete incompetent fuckwits to change their behaviour.
that one day, maybe not tomorrow but one day, the Manager of the department who shed the data will get the boot in a 'do not pass go, do not collect 2 years of salary' kind of way. If there is not a personal impact then why the hell should they care.
OK, yes I can see exactly why they SHOULD care, but you know what I mean.
To be honest the people I know in that area are less concerned about their local NHS trust losing their name and DOB than they are about the slim chances of surviving a stay in any of their hospitals.
Obviously, not being a health professional one would be hard pressed to claim there was a culture of clinical negligence going on, but there is unquestionably a public perception of a culture of clinical negligence that is fuelled by every new horror story from patients or the families of patients...
Speaking personally I would much rather they employed staff who cared about getting me well.
Sacking people or whatever will achieve nothing because no-one sets out to get things wrong. veryone knows they'll get badly hurt if they have a car accident but we still have a bloody great death toll in avoidable accidents every year.
The only way to stop data getting off the system is to make it impossible for data to get of the system and accept a soddin' great increase in costs and reduction in productivity...
@JimC - the ones that have access to 1.6 million sets of details on a CD aren't the ones on the front line taking blood, wiping arses, delivering drugs or checking temperatures. The main fuckwits are the information workers that *think* they're better than the frontline staff and don't turn up for their data protection training because they're too important.
AC cos I changed from the private sector to the NHS two years ago - I'm still shocked at the everyday basic incompetance I see everywhere I look. I had to stop pointing out the idiot flaws in everything that came to my attention as it was '... too negative and confrontational ....'
"names, addresses, dates of birth, NHS numbers and GP details" since 2002. name, DOB and NHS number not only will not change, but are also uniquely identifiable and therefore easy to put to use for fraud / ID stealing. address + GP details.... sure some people will have changed them in 10 years but I would bet at least half the 1.6 million people still had the same address as in 2002.
"after a rebuke" - 1.6 million records lost and all they get is a rebuke, saying that the ICO is merely toothless would be a gross understatement. Number of people fired for gross incompetence - at a guess I'd say approximately zero
To begin with all personnel (and their bosses) could be charged with 1.6 MILLION counts of id-theft (just the way RIAA does it, oh yeah!).
Once begun, the policy makers of said instituions can also be charged for all damages resulting from the negligence (e.g. : government -securely this time- reissues new "official use" birthdates for all people outed for all banking/online gaming/etc use, etc etc)
A fertile imagination for constructive use of mischief is all we need.
Biting the hand that feeds IT © 1998–2021