Gosport podiatrist’s records laptop containing both personal and medical details has been stolen. Any database containing medical information needs to be encrypted – period. Whilst the podiatrist claims the laptop was protected by a Windows password, this form of security is rudimentary at best, and can be cracked in minutes by a determined hacker.
And since we’re talking people’s medical details here – with all the associated issues of financial and emotional blackmail, fraud and other nastiness that ensues – a Windows password is about as much use as a chocolate teapot. Encryption is a must-have, as is the question as to whether this information should be on a laptop in the first place.
The fact that the ICO is already on the case is an indication of the potential severity of this clear breach of the Data Protection Act. And as the penalty of £140,000 levied earlier this week against Midlothian Council – the highest fine for a data breach seen so far – clearly shows, the ICO is clearly gunning for those organisations that drop the ball on data security.
With the enhanced penalties that can be levied under the Data Protection Act coming up for their second anniversary this spring, there are signs that the ICO is prepared to clamp down hard on organisations – on both side of the public and private sector divide – that break the provisions of the Act.
And let’s not beat about the bush – the Data Protection Act has been backed by the full weight of the civil and criminal law ever since it was created in 1998. In addition, whilst the eight data protection principles involved are quite complex, a breach of the Act is an offence that now brings with it penalties of up to a quarter of million pounds.
On top of this, a fine is only one part of the penalties that an organisation can suffer. There is also the public embarrassment and the potential loss of confidence that needs to be considered.
It doesn’t help the reputation of the organisation concerned when the first news reports on the loss quote the laptop user as saying she does not know much about encryption – and that she is not good with computers – as the company should have provided effective security training for its staff, especially since they deal with patient data.
This unfortunate case highlights all that is wrong with IT security education and policy enforcement in the private sector. Better education and mandatory encryption of medical records is clearly called for.
As the dust settles on this case and a full ICO investigation ensues, it is to be hoped that the lessons learned will act as a wake up call to anyone handling patient data, regardless of who their employers are. Medical data needs protection, especially in portable computing environment.