New data security protocols for NHS boards
NHS boards across Scotland must meet stringent new data security protocols designed to protect patient privacy.
Health Secretary Nicola Sturgeon has accepted in full all national recommendations made today in a report compiled by NHS Quality Improvement Scotland following the discovery of patient records at the disused Strathmartine Hospital in Tayside.
The recommendations include:
- Disused buildings should not be used for the storage of any health records or personal identifiable information
- All information held on patients should be stored in their formal health records; if information is no longer needed it should be disposed of
- New national protocols for NHS site decommissioning and disposal, bringing together estates and information management staff
- Annual property transactions returns should be used to confirm that any surplus buildings are properly cleared and closed
- All NHS staff must be adequately trained in data protection and information management
- New guidance must be developed on the management of patient-identifiable information held by clinical staff who retire or leave their post.
Ms Sturgeon said:
"Although this was an isolated incident, breaches of data security should not be happening at all.
"Patients deserve to know that their right to confidentiality will be protected by the people who care for their health.
"That means some rules need to be tightened and, just as importantly, that NHS staff need to be aware of exactly what their responsibilities are when it comes to information that can identify patients.
"This Government is accepting NHS QIS's recommendations in full, and can assure patients that work is already underway to take these forward and ensure the security of all our health information."
The investigation was carried out by NHS QIS at the request of the Health Secretary and NHS Scotland's Chief Executive Kevin Woods. A number of local recommendations are also made to NHS Tayside and have been accepted in their entirety.