I hope this is something that will be allowed for discussion. I’ll give my own anonymised experience in a bit.
Data security is the business of HMCTS big time as per ‘Tribunals’. All judicial officers are warned repeatedly about the issues. All staff working in mental health services are regularly given mandatory training.
Data sharing is required for cohesive mental health care - as highlighted in the Nottingham inquiry. Nonetheless, data security is inescapably integral to mental health services.
The first big issue is that ‘people’ in mental health services are madly emailing other people at unsecure email addresses, with information that would breach several parts of UK GDPR. How do I know? And madly? I’ve seen it repeatedly over the years, with my own eyes. Yes - that’s my knowledge and experience - not everybody’s.
On one occasion a ward ‘admin’ did it - sent emails to relatives with full PID in an email (unencrypted). I had a quiet and polite word and thought that was the end of it. But no, he accosted me in my office a day later - him shaking with anger - to tell me like it is, that it’s not my place to inform him of the issue - because that’s what he had always done and nobody ever raised a concern.
The long and short of it, is that the conversation went the wrong way and I had to put in a complaint, which was swiftly upheld.
But you may have missed it in the above - that despite all the IG mandatory training for everybody, people do what traditions dictate.
So - it happened again in the last few days. As an independent S12 doctor for MHA assessments I had to put an email address on the forms. I don’t have an nhs.net email address or similar. I put an alias address at hushmail. The next thing I know is that I receive 4 emails from various parties one in Social Services and three from NHS persons. One appeared to be asking for advice on medications and risk management. The next from the other S12 doctor giving advice, and then two updates on where the patient was admitted (hospital and ward). The patient’s full name was in the subject field. The matter has been referred for investigation. [Nothing in the above identifies a patient or a Trust]
Everybody ought to know - or should know that - you simply do not email PID ‘externally’ unless contained in a properly encrypted email. That means content and attachments must be locked with a complex password that cannot be hacked by a Xieve attack in under 3 million years.
Am I alone in the above?