Manx Care warned it could be fined over patient records
Manx Care has been warned it could face a fine of £170,000 if it doesn’t improve its handling of sensitive patient data.
An enforcement notice was served on Manx Care’s chief executive Teresa Cope by the Information Commissioner in February this year.
It gave the organisation four months to comply with GDPR rules on the processing of patient information.
The Commissioner said that patients’ personal and health data continued to be put at risk by the use, both internally and externally, of insecure methods of communication – particularly email attachments.
This had resulted in several personal data breaches in the previous six months including one case where the unencrypted medical record of a patient was emailed to about 2,200 recipients. Four months on, and with Manx Care still not fully complying with GDPR rules on such ‘special category’ data, the Information Commissioner has confirmed it has given a notice of intent indicating a penalty of about £170,000 could be imposed.
But information commissioner Iain McDonald said that is as far as the process has gone at present.
He said: ‘I can confirm that this office has not issued a penalty notice to Manx Care.
‘There is a process set out in the GDPR and LED implementing regulations 2018 that must be followed.
‘Where the Information Commissioner considers that a penalty may be appropriate, he must first give the controller a notice of intent and permit the controller to make representations. Only once that process is completed will the Commissioner consider whether a penalty notice should be given and, if so, the amount of the penalty and how that penalty is to be paid.
‘Payment could, for example, be stayed to provide the controller with a further opportunity to rectify its failings or made in instalments with later instalments waived subject to rectification.’
The enforcement notice was originally served on the Department of Health and Social Care at the end of October 2020.
When Manx Care took over the running the Isle of Man’s health and social services in April 2021, it also took on the liability and responsibility for making the changes required to comply with the enforcement notice.
This included bringing its processing of personal data in line with GDPR rules, and implementing technical and organisational measures to ensure a level of security appropriate to the risk, particularly in relation to special category data sent in email attachments.
But a quarterly report published by the organisation in February this year indicated there had been little substantive progress or prospect of completion in the near future.
CommentsTo leave a comment you need to create an account. |