The security of patient records is a local responsibility and each national health service body is legally responsible for holding information securely. However, the Department provides comprehensive policy, guidance and supporting tools for security compliance to NHS bodies and has also made encryption software available to all NHS trusts through a central procurement. The 10 strategic health authorities hold local organisations to account for their performance.
The Department is also providing, through the National Programme for IT, electronic patient record systems that are protected by the highest levels of access controls and other security measures, a secure NHS network for exchanging information that is centrally monitored and strongly protected, and secure NHS e-mail facilities that encrypt all data in transit within the system.
Action taken to retrieve lost or stolen patient information is locally determined and will depend on the circumstances of each particular event, but will typically include involvement of the police where theft has occurred or is suspected, and an internal investigation into the circumstances, with disciplinary procedures invoked where necessary and appropriate.