Matter for discussion: Digitised patient records: a data security risk?

Patient data has huge benefits for health care. It can be used to improve diagnosis; understanding of disease; treatment and prevention; policy; service planning; patient safety and individual care  . Where data is used for purposes beyond individual care it is usually anonymised, meaning that information that identifies an individual patient has been removed or pseudonymised.
However, digital patient records remain accessible to staff providing care to individuals helping to streamline care and make treatment more efficient. With 1.6 million patient interactions every day in the NHS, digital records have become integral to good care.

Access to patient data is strictly controlled and individuals can opt out of having their data shared beyond that needed for their care. Handling information in a secure and confidential manner that allows organisations and individuals to manage patients’ personal and sensitive information legally, securely, efficiently and effectively is managed by an information governance (IG) framework. In turn, IG is governed by the Data Protection Act 2018, which is the UK implementation of the General Data Protection Regulation (GDPR). In the NHS access is monitored and audited.

However, sharing patient data is not without risk. Easy access to records provides the possibility for confidential information to be shared in a way that was not possible with paper records or stand-alone electronic records – and patient data isn’t just at risk from cyberattack or hackers. Over the past five years a number of incidents have been reported of staff accessing the records of high-profile patients. Ed Sheeran, Sir Alex Ferguson, and Catherine Princess of Wales have all reportedly experienced having their private medical records accessed or attempted to be accessed by staff without valid reason (Embury-Dennis, 2018; Halliday, 2018; Coker, 2024). 

Breaches of patient confidentiality can trigger the disciplinary process and may lead to dismissal for gross misconduct, they can also have the potential for criminal conviction. Section 5 of the NMC Code ‘Respect people’s right to privacy and confidentiality’  also sets out standards for nurses, midwives and nursing associates, meaning those breaching the rules could be subject to sanctions including being struck off.

Despite the penalties in law, within the workplace and via the regulator, nursing staff have still been tempted to look at digitised patient records for people not in their care. Outside the headlines there is no way of measuring how many staff are accessing the records of friends, family and neighbours out of concern or curiosity. 
How then do we encourage staff not to stray beyond the boundaries and that good intentions are not reason enough to access a person’s private data? Is the risk of digitised records too great? Or do the benefits outweigh the risks? What more can be done to protect our patients’ right to privacy.

The reading list for this debate is available here.

References

Coker J (2024) ICO Probes Kate Middleton Medical Record Breach. Available at: https://www.infosecurity-magazine.com/news/ico-kate-middleton-medical-breach/ 

Embury-Dennis T (2018) ‘NHS workers disciplined for ‘accessing Ed Sheeran’s health records’’, The Independent. Available at: https://www.independent.co.uk/news/uk/home-news/ed-sheeran-latest-nhs-staff-sacked-ipswich-hospital-broken-wrist-elbow-a8359156.html 

Halliday J (2018) ‘Sir Alex Ferguson: hospital apologised after staff ‘spied’ on medical records’, The Guardian. Available at:  https://www.theguardian.com/football/2018/dec/03/sir-alex-ferguson-salford-royal-hospital-apologises-staff-spied-records 

Information Commissioner’s Office (2024) Data security incident trends. Available at: https://ico.org.uk/action-weve-taken/data-security-incident-trends/ 

NHS England (no date) Information governance guidance. Available at: https://transform.england.nhs.uk/information-governance/guidance/ 

NHS England (2013) A guide to confidentiality in health and social care: Treating confidential information with respect. Available at: https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/a-guide-to-confidentiality-in-health-and-social-care/a-guide-to-confidentiality 

UK Government (2018) The Data Protection Act. Available at: https://www.gov.uk/data-protection