In this day and age, we all know that every organisation is likely to hold our personal data in one form or another. So, what system does the NHS use to keep our information secure, and is it safe?
The complexity and sheer volume of personal data that organisations have on record is truly remarkable. Regardless of whether or not you believe that it is right for personal data to be stored for various purposes, everybody can agree on one thing – it is imperative that such information needs to be kept as secure as possible.
There are thousands of different computer systems which are designed to keep data secure and out of the hands of unauthorised third parties. The NHS, as you might expect, use such a system, which serves a number of different purposes for the healthcare sector as a whole.
But there are a number of questions surrounding this subject. Namely, is the computer system used by the NHS safe? And is it up to the task of preventing a breach of NHS confidentiality? Here, we answer these questions, as well as taking a wider look at how the NHS have been tackling the issue of data security in previous years. Be sure to read on below to find out more.
What Computer System Does the NHS Use?
The NHS, and the majority of healthcare professionals in the UK, use the centrally hosted clinical computer system known as SystmOne. The system itself is developed by the Horsforth-based The Phoenix Partnership (TPP).
According to TPP, SystmOne is a ‘pioneering clinical system’ which supports their vision of a ‘one patient, one record’ model of healthcare. The primary function of SystmOne is for clinicians to be able to access a single source of information which details a patient’s contact with any health services across their lifetime.
The system provides an electronic health record for every registered patient. In practice, this means that the record should be easily accessible for every type of clinician. Naturally, this should lead to an increase in administrative efficiency, as there it will lead to less duplicate data entry.
Does SystmOne Share Data with Anyone Else?
In 2015, SystmOne made an agreement to share patient data with Egton Medical Information Systems (EMIS Health). The hope for this agreement was for both companies to be able to ‘deliver functionality to support cross-organisational working’ – including tasks such as shared appointment booking.
How Secure is SystmOne?
Concerns were first raised about the security of SystmOne in 2017, where the Information Commissioner’s Office confirmed that they would be launching an investigation into TPP. This was in relation to the ‘enhanced sharing function’ of the electronic patient record system.
In particular, the ICO expressed concerns over the fair and lawful processing of patient data on the system based on the record sharing function within the system.
Following this, TPP confirmed that it would be piloting a new functionality scheme within SystmOne, designed to directly address the concerns raised by the ICO. The main aim of the scheme was to give GPs greater control and flexibility over which organisations could view a GP record.
Those changes weren’t exactly a success. In 2018, both houses of the UK parliament were informed of a software error that resulted in patient’s data being shared against their express wishes. This was down to an issue concerning the way ‘opt outs’ were passed. The result of this failure was that data from 150,000 patients was sent out by NHS Digital for audit or research purposes.
What is the NHS’s Policy on Data Security?
In the NHS’s words, they claim to be ‘the guardians of patient data’. Their policy on data security outlines that they only use data for the good of health and care, and that patient data is always protected.
The NHS comply with the national data opt-out policy, which was introduced in 2018. This policy enables patients in the UK to opt out from the use of their data for research or planning purposes.
A Transparency Notice on the NHS website details exactly how they use patient data in line with the General Data Protection Regulation (GDPR). This includes information on the rights you have as a patient, how you can request a copy of your data, the way information is shared, the way information is retained, and how to make a complaint.
How Common are NHS Data Breaches?
It’s an unfortunate reality that NHS data breaches are incredibly common. However, in the vast majority of cases, this isn’t down to failures of the computer system. Rather, they tend to be caused by human error or procedural negligence.
Incredibly, it has been reported that 3,557 personal data breaches were reported across the health sector (the majority being in the NHS), between March 2019 and March 2021. That’s taking into account the fact that many data breaches go unreported – so the actual number is likely to be much higher.
During that time period, there were 866 instances in which personal data was emailed or physically posted to the wrong person. Other errors included lost paperwork or devices such as laptops. There were even 12 instances of staff verbally revealing incorrect information, and 12 where data had been deliberately altered without consent.
Shockingly, the ICO disclosed that there were more data breaches across the health sector during the two-year period than any other public, private, or charitable sectors it examined.
What Should We Take from This?
While concerns have been raised about the security of the NHS’s systems, evidence seems to suggest that they have taken an active approach to improving security measures as far as possible – even if some issues have occurred along the way.
What appears to be a more pressing issue with regards to data security is how staff are trained and how failsafe measures can be implemented to reduce the worrying numbers of human errors occurring.
What are your thoughts? Have you been an unlucky victim of an NHS data breach? Feel free to leave a comment below!