Second NHS data leak to be fully investigated
Another data breach at NHS Orkney has led to a confidential health board file being inadvertently sent to a member of the local press, in what has been described by the health authority’s new interim chief executive as a “regrettable” error.
Michael Dickson, who is set to arrive in Orkney today, Friday, has apologised for the data protection breach, which disclosed the names and personal information of ten NHSO staff members. Mr Dickson has confirmed that the leak will be the subject of a full investigation.
The information, which cannot legally be shared according to the Freedom of Information Act (Scotland), was sent to a journalist at The Orcadian by email, yesterday, as part of the response to a Freedom of Information (FOI) request submitted by the newspaper.
A covering letter from NHS Orkney clearly stated that it would be illegal for it to share the names of travellers, in response to questions about journeys made between Orkney and the Scottish Mainland by NHS Orkney staff during lockdown. While the first page of an attached spreadsheet corresponded to the legislation, a second page — which had been attached in error — revealed full names and job titles linked to travel information, including booking references, invoice numbers, and tax filing information.
This is the second time in recent months that NHS Orkney has breached data protection laws. In May, a file containing the names and personal details of 51 health and social care workers who had applied to be swabbed for coronavirus — including some test results — was sent to an Orkney business in an “administrative error.”
The health authority’s new interim chief executive, who has promised a new “open and honest” approach to communicating with the press and the public, told The Orcadian he was disappointed to see a second leak of confidential information in such a short space of time, and that this type of incident should never have happened.
As soon as he was made aware of the breach, yesterday evening, Mr Dickson made personal phone call to The Orcadian, to offer a full apology and a statement responding to the incident.
“I have been alerted to a data breach in NHS Orkney that occurred earlier today when an FOI was responded to about staff travel to and from Orkney during the lockdown period,” he said.
“The spreadsheet that was shared as part of the response had not been correctly formatted for release, and this has led to details about a small number of senior staff members’ travel arrangements being placed in the public domain.
“I am disappointed that this is the second data breach in such a short period of time and I would like to assure you we are undertaking a full investigation, the staff involved will receive an apology and we will report this issue to the Information Commissioner.
“A data breach is regrettable at any point in time, but I appreciate this is a particularly sensitive matter for people in Orkney just now. I would like to assure you that all appropriate steps will be taken to mitigate this error and also to ensure lessons are learned moving forwards.”