The CIPP and the official reference stress violation reporting and consistently reminds how much stronger the privacy protections are in the European Union. That said, the UK prison systems have quite a bit of explaining to do. The patient records for thousands of inmates were lost, on a memory stick. As required by the EU Data Protection Directive (95/46/EC), the information received “adequate protection” through encryption and a password – that happened to be taped to the side of the stick.
The incident occurred December 30th and involves the health records of 6,360 inmates housed at HM Prison Preston. The employees involved were suspended pending an investigation into the procedures at the National Health Services Central Lancashire.
According to the article,
The information included prisoners’ surnames, prison number, cell location, age range, prison clinic appointment times and references to medical conditions such as asthma, diabetes, mental health and even sexual health references.
The USB data stick did not contain any other information such as first names, dates of birth, NHS numbers or home contact details or any financial information.
As per best practices and the EU Directive’s instruction, the Prison’s collected minimal data within these records, choosing not to include everything available. There is one benefit, the notification requirements should cost a little less in postage.