DOZENS of NHS staff have been disciplined after data laws to protect patients’ personal information were breached at least 1,395 times over the last two years, an investigation has revealed.
Freedom of information requests have found there were at least 1,395 breaches recorded and 73 people have faced disciplinary action. Four people have been reported to Police Scotland.
Several NHS health boards did not disclose figures so the total could be higher.
The research, by award-winning investigations platform The Ferret, was prompted by the case of a radiographer who accessed the personal records of more than 200 female patients before stalking them.
Andrew Stewart, 32, worked at hospitals in Lanarkshire and Ayrshire, where he dealt with hundreds of patients.
READ MORE: Public bodies shed property worth hundreds of millions to balance books
He used his position to look up files of women he had treated and made a note of their contact details.
One of his victims – Vivien Hamilton – spoke to The Ferret about his behaviour and said it forced her to move home and her story will be told in tomorrow’s Herald on Sunday.
The Scottish Liberal Democrats said the figures were “extremely troubling” while Scottish Labour said data protection laws are “only as good as the people controlling them”.
The health boards said in reply they take the issue of patients’ confidentiality extremely seriously.
Breaches of personal data cover a broad range of scenarios, including unlawful access and the deletion of files.
Organisations must notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.
If an organisation decides against making a report, the ICO says it should keep a record of it and be able to explain why it wasn’t reported if necessary.
Most NHS boards provided figures in reply to our requests for information but some said they were unable to.
NHS Greater Glasgow and Clyde recorded the highest number of breaches. Since January 2018 the board has recorded 673 data breaches of, which 95 per cent were the result of human error, while 5% (34) resulted in disciplinary action.
The board said it does not “routinely report serious data breaches” to the police, instead letting the ICO investigate and liaise with the procurator fiscal’s office if they believe criminal charges should be brought.
NHS Tayside said there have been 273 data breaches but said it could not disclose what action, if any, has been taken against staff because the information is “not held centrally”.
NHS Lanarkshire said there have been 220 incidents recorded. These resulted in 34 first written warnings, one second and final written warning, and four people were given “formal counselling”. Three incidents were reported to the police. We asked if these people were still employed but the trust refused to say.
In a statement, Kay Sandilands, NHS Lanarkshire director of human resources, said the board “takes patient confidentiality and data breaches extremely seriously” and will take “appropriate action against any staff involved in a data breach”.
NHS Borders revealed there had been 95 recorded data breaches, with no individuals dismissed. One person resigned before an investigation was concluded, the board said.
NHS Ayrshire and Arran said it could not provide figures for the number of breaches but one case was referred to police. The board’s medical director, Dr Crawford McGuffie, said: “We have organisational policies and procedures in place to ensure the safe handling of personal information. Any identified breach will be fully investigated and appropriate action taken.”
NHS Western Isles said there were 84 breaches since May 2018 but no staff have been disciplined.
NHS Shetland reported 24 data breaches to the ICO between January 2018 and February 2021. “The vast majority of these reports were due to patient information being disclosed
to the wrong person because of administrative errors. There have been no disciplinary measures against staff or reports to police,” its FOI reply added.
READ MORE: Investigation launched following data breach of more than 150 medical records in NHS Lothian
There were eight data breaches recorded by NHS Orkney and notified to the ICO. “In terms of disciplinary situations, NHS Orkney is not able to break this information down any further on the grounds that individuals may be able to be identified,” its response added.
NHS Grampian said 45 incidents have been recorded but no further action was taken. There were six recorded by NHS Highland and each was reported to the ICO. No staff have been disciplined or dismissed.
NHS Dumfries and Galloway said there were 12 breaches but refused to confirm or deny if any action has been taken.
NHS Forth Valley did not disclose figures but said: “Any breaches are taken very seriously.” NHS Lothian did not provide specific figures either, saying it did not have people’s consent to “release data from their records”.
NHS Fife said our freedom of information request was not received.
A spokesman for the Information Commissioner’s Office said people have the right to expect “organisations will handle their personal information securely”.
The ICO added: “NHS staff have access to a great deal of personal sensitive data, so boards must ensure they have the appropriate measures and training in place to ensure people’s information is handled responsibly.
Scottish Labour deputy leader and health and social care spokeswoman Jackie Baillie said: “Data laws exist to protect people and, in the case of hospital records, it is vital personal – and potentially very sensitive – information is properly controlled.
“Unauthorised breaches of data, especially for malicious or improper purposes, must be fully investigated and, when necessary, referred to the police. Data protection laws are only as good as the people controlling them. Assurances must be given that the highest standards are being applied to ensure all patient information is being properly safeguarded.”
Scottish Liberal Democrats health spokesman Alex Cole-Hamilton said the “overwhelming majority” of NHS staff would “never dream of abusing their position”. But he said these data breaches are “nevertheless extremely troubling”.
“Patients need to have confidence the information they provide will be handled appropriately. Health boards must ensure appropriate training and security measures are in place to avoid personal data falling into the wrong hands.”
The Ferret is an editorially independent, not-for-profit co-operative run by its journalists and subscribers. You can find it at https://theferret.scot/ and can subscribe for £3 a month here: https://theferret.scot/subscribe/
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel