New moves on data security

Information Commissioner Richard Thomas has backed proposals by cabinet secretary, Sir Gus O’Donnell, to hold senior Whitehall mandarins and NHS chief executives personally responsible if their department or trust loses or mishandles personal information.

Speaking at the Infosecurity Europe conference in London, Mr Thomas said he has seen the draft of a report on data security prepared by Sir Gus, and that he backed its proposal to make senior civil servants responsible for all issues relating to issues of accountability and information governance. "It has to be the likes of chief executives of NHS trusts and permanent secretaries who are held accountable when things go wrong."

He said: “It has to be the likes of chief executives of NHS trusts and permanent secretaries who are held accountable when things go wrong. They can't simply make assumptions that everything is in the hands of the techies.”

Sir Gus was commissioned to produce a report on data security by Prime Minister Gordon Brown, following the loss of the records of 25 million child benefit claimants by HM Revenue and Customs last November. He is expected to release it to Parliament next month.

The review was one of a number of measures taken by the government to try and restore public confidence in its handling of personal data. Mr Thomas said that his department would also start to conduct “spot checks” on government departments and agencies later this year.

"There are going to be new requirements for Whitehall departments and new guidance for the public sector at large," Thomas added.

"This is not just about data security. We need to ask a whole range of questions, such as why so much information is being collected. Why is it being retained for so long? Why are laptops which hold the information not being encrypted? And why are such laptops being left in the backs of cars?" "This is not just about data security. We need to ask a whole range of questions, such as why so much information is being collected."

The NHS has reported more than ten data security breaches to the Information Commissioner in the six months since the HMRC data breach. Measures to crack down on NHS staff who sell or lead personal details to detectives, the press and others are also under discussion.

In response to Mr Thomas’ latest comments, an ASSIST and UKCHIP spokesperson said that NHS chief executive David Nicholson had already stressed that chief executives should take personal responsibility for information.

“Information security and governance have struggled to get recognition by boards, so this move could only improve things” they added. “Chief executives already have responsibility for clinical governance; there is no reason to them to think about information governance in a different light.”

Further Reading

- Read a feature on the HMRC data breach, its implications for the NHS, and how technology can help to prevent future incidents

- In this feature about information governance, our columnist Jon Hoeksma considers the importance of new laws to stop individuals disclosing personal details