UK. Medical and social security records kept by public bodies are being unlawfully or inappropriately accessed dozens of times a month and hundreds of civil servants disciplined for data offences, according to Government records.
Staff at the Department for Work and Pension (DWP) are being reprimanded at a rate of nearly five per day for breach of the rules governing its vast database - thought to be the largest of its kind in Europe - while the Department of Health (DoH) last year recorded 13 cases a month of unlawful access to medical records.
The statistics, obtained by Channel 4’s Dispatches under the Freedom of Information Act, will increase concern about the security of personal data and the ease with which private investigators are selling access to personal and confidential information, much of which is held on state computer systems and is illegal to obtain without suitable authorisation.
The DWP figures show that between April 2010 and last March a total of 513 staff members were disciplined for “unauthorised disclosure of official, sensitive, private and/or personal information... to anyone” from its database holding the records of 98 million people, which can be accessed by 200,000 people. For the 10 months from April 2011 to this January, the figure was 463.
When all types are data offence are taken into account, ranging from breaches of the Data Protection Act to inappropriate browsing of personal records of benefits claimants, some 1,172 civil servants were disciplined between April 2010 and last March, with a further 992 reprimanded between April 2011 and this January - equivalent to 4.57 cases per working day.
The DoH told Dispatches that it does not collect details of all cases of unlawful access of medical records but said it was aware of 158 incidents in 2011 - equivalent to 13 per month. In 2007, the figure was 28.
It is not known how many of data breaches involved the passing of information to an outside individual. The DWP said there had been 11 “serious cases” of personal data loss since 2007 which had been reported to the Information Commissioner’s Office.
A Dispatches programme to be broadcast tonight, Watching the Detectives, will report the results of a year-long investigation into private detectives who are accused of selling access to health, benefit and criminal records as well as mobile phone bill and bank accounts.
A spokeswoman for the DWP, which employs 100,000 people, said it had taken action in recent years to improve staff awareness of data protection. She said: “DWP makes millions of data transactions every week and while instances of misuse are low, we take security seriously which is why we have a process in place to detect them and take the necessary action. ”
In a statement, the DoH said: “The Department of Health provides clear guidelines on patient confidentiality and effective information security. Individual NHS organisations are responsible for ensuring that their staff know what is expected of them in regard to respecting the confidentiality of their patients.
“Medical records are private and any abuse of their confidentiality is deplorable. Individuals have a right to know that their personal information is protected. The NHS takes protecting individual privacy extremely seriously and if any member of staff is discovered intentionally breaching this, they will be subject to appropriate disciplinary action.
Nikolai Fedotov, Head Analyst of InfoWatch, commented: «We point out that incidents vary. There are many “incidents” around this base when a user receives a penalty for the violation of enacted confidentiality. There are far fewer incidents when data from the base leaks and is stolen. And there are no notifications whatsoever on how the data was used to steal money. They don’t protect where people steal, but where people don’t steal; this is an ancient sin of European humanism. Unfortunately, this has been included in Russian Federal Law 152-FZ (although this time without humanism)».