Doctors and health officials who lose laptops containing patient information could face prosecution under new rules being considered by the UK Information Commissioner’s Office (ICO).
The revelation came as the information commissioner, Richard Thomas, was questioned by the Lords’ Constitution Committee which is investigating surveillance and data collection as part of its brief to report on the topic by the middle of next year.
Sanctions in England and Wales would include unlimited fines if action ended up in a crown court, or a fine of £5,000 in a lower magistrates’ court. Taking such action against doctors marks a step-change in official attitudes to data theft in the UK, and the first time punishments have included fines.
"If a doctor, or hospital [employee] leaves a laptop containing patients’ records in his car and it is stolen, it is hard to see that is anything but gross negligence," The Times newspaper reported Thomas as saying.
Reaction to the proposal has been negative, many seeing it as inconsistent to pursue health workers while ignoring other public servants and private institutions. Encryption companies queued up within minutes of the report to make the obvious point that pursuing offenders shouldn't distract from the need to protect the data itself.
"Criminalising doctors for having their laptop stolen sounds to me like cracking a nut with a sledgehammer," said Tom de Jongh of encryption vendor safeBoot.
"The fact is whenever a piece of equipment leaves the doctors environment it has the potential to go missing. With the best intentions in the world things get stolen – this is what I call the 'human factor'. A doctor cannot guarantee that he or she will not fall victim of a crime and should not be punished for this," he said.
PGP Corporation, also an encryption specialist, chimed in with similar thoughts. "By placing the emphasis on protecting the device - specifically laptops - rather than the confidential data itself, he could be accused of treating the symptoms of this problem, rather than providing a cure," said PGP's Jamie Cowper.
"To be entirely effective, the NHS should respond to the proposed legislation with both a programme of data security education and a systematic roll-out of data protection technology such as encryption," he added, perhaps predictably.
"Data protection needs to start within the surgery. Meaning, patient records that are not protected in line with data protection laws should simply not be allowed to be transferred on to mobile devices. Policies can be put in place to monitor and control the flow of data," suggested Alan Bentley of Lumension, formerly Patchlink.
The ICO was set up by the government as an independent body to oversee the 1998 Data Protection Act and the 2000 Freedom of Information Act. The IOC also sets rules on how organisations are allowed to monitor their staff while at work.