Too-expansive access control lands NHS Birmingham East and North in breach of the Data Protection Act
NHS Birmingham East and North (BEN) breached the Data Protection Act by failing to restrict access to files on their IT network, the Information Commissioner’s Office (ICO) announced today. The breach, which was discovered by BEN on September 8, led to some NHS staff at their own Trust and two other NHS Trusts nearby potentially being able to access restricted information. BEN hosted IT services for itself and the two other unnamed Trusts.
BEN reported the breach to the ICO in September last year. Some of the files that were potentially accessible included thousands of patient files, some of which related to the physical or mental health or condition of the patients, as well as files on employees. The ICO’s investigation has found that, while most of the files were not easily accessible and some security restrictions were in place, file security in general was inadequate.
Denise McLellan, Chief Executive of BEN, has signed an undertaking to ensure that adequate technical security measures are in place to prevent unauthorised access to personal data. The Trust will also make sure that comprehensive policies are established regarding the storage and usage of personal data and that staff receive the necessary training on how to follow them.