Data protection

30 January 2009 by Stephen Owen  
Filed under NHS and health

Earlier in January the Information Commissioner’s Office (ICO) announced that it had taken action against two NHS trusts after the loss of personal data.  In each case, data had been stored in an unencrypted form on easily-removable, and so easy to lose, pieces of hardware.  Whether or not the hardware and the data it contains are recovered, the effects upon those whose information is lost are serious.  Stories like this attract media attention, and in recent times the media has become more alert to this type of story and the damaging effects of data loss on the people affected.  These effects can obviously be worrying where financial or medical data are involved.

Stories of laptops being mislaid or stolen, and the increasing use of USB storage devices as convenient ways to store and transport data, make data governance an increasingly important issue.  As technology advances, new developments in data transfer and storage encourage and enable new applications which would have been unthinkable in the recent past – the NHS National Programme for IT (NPfIT), with plans for sharing health and other related data country-wide, being just one example of such an ambitious system.  However advances that make data more easily available are a double-edged sword, since accompanying the desire to store and distribute information is the need to control who has access to it, and what they can do with it.

One of the most complex parts of designing a large system can be controlling access to the data that it contains.  Most people are familiar with usernames, passwords, PINs and so on, all of which serve to control access to a system, and which are then used by the system to determine what a person can see and do.  In combination with such access controls, the underlying data within a system can be stored in an encrypted form which makes using the data much more difficult even if you can gain access to it through some unauthorised means.

What many (though by no means all) of the data protection stories related in the press have in common is that they concern data being lost OUTSIDE of the system: personal records stored on a USB stick, data downloaded onto a laptop to allow working away from the office, confidential papers left on a train – in these situations the data has already been removed from the system.  Given that access is therefore compromised, it becomes particularly important that such data is protected in some other way – encryption can be used here too.

Encryption is a process by which data is altered through a known process which can be reversed when access to the data is needed.  A secure system will typically use encryption internally to protect sensitive data such as passwords or medical history.  It is possible to encrypt the hard disk drive of a laptop computer, or the contents of a USB memory stick; this would mean that in order to read any data, a password or some similar access control measure would be needed.  Data in an encrypted form is of limited use, and so as long as access to the means of decrypting it is controlled, encrypted data can be considered relatively secure (’relatively’ as it is not impossible to access encrypted data, merely difficult; encryption serves to make unauthorised access to the data infeasibly difficult rather than imposible).

Unfortunately many of the examples of data loss featured in the media become such large stories because data has not been encrypted.  A simple measure, which is accepted as good practice within the industry and promoted strongly by the ICO, but which is not routinely followed.  The recent loss of data from Monster and a variety of losses from government departments serve to emphasise the need for strong access controls, routine encryption of sensitive data, and a greater appreciation of the worth of such data and the dangers involved in its distribution, even within carefully-controlled circumstances.