Request
Dear Sir/Madam,
You will be aware that under the Freedom of Information Act any person or organisation may request certain information from a Public Authority/NHS or publicly funded body. You will also be aware of the legislation and regulations relating to the area of confidentiality of information.
We refer to information that apply to any public organisation that transfers or holds Personal Identifiable information; this includes a name, NHS or social security number, hospital number, PAS or PACS identifier or any other information that may identify an individual.
Full details of this legislation and guidelines can be found on the following NHS and Government web sites:
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/en
cryptionguide.pdf.
http://www.ico.gov.uk/what_we_cover/data_protection.aspx
http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm
http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/security/en
cryptiontool/faqs/index_html#3 In particular Q 26
These emails need to be encrypted to the Government and NHS standards of 256 AES. The requirements can be confirmed on the official sitesabove. You will also appreciate that Personal Identifiable Information may not be stored outside the European Union.
This Freedom of Information enquiry is to require that you provide details of exactly what measures your SHA/Trust has in place, as of today, to meet the requirement for the security of emails sent or received from any third parties (e.g. A child protection case file, hospital admissions etc).
Are these encrypted to the NHS standards when sent or received from third parties? (e.g. GP’s, social services, other NHS Trusts, hospitals, community nurses etc).
We intend to publish a league table of compliance with the above on our web site and in the national press. We will not be seeking any financial remuneration from persons accessing the site.
Please feel free to email us if you require any further information in order to answer this FOI request in a timely manner.
Response
With reference to previous emails relating to your request for information about encryption in the NHS and in particular to our exchange of emails of 26th November 2009 I can confirm that we hold the information you have requested. However it is also true to say that as a Strategic Health Authority, we have access to and handle very little sensitive patient data.
Using the data mapping tool as a guide, all e-mails containing sensitive or personal information are either sent NHS net to NHS net (which are encrypted) or if this is not possible, as the third party receiving the data is a non NHS organisation, a third party solution is used which in our case is TUGZIP. This encrypts data to the AES 256 bit standard required to comply with Connecting for Health’s encryption guidelines.
If you are dissatisfied with our response you may ask us to review our decision in this case by writing to:-
Mr Kevin Orford
Deputy Chief Executive and Director of Finance
NHS East Midlands
Octavia House
Interchange Business Park
Bostock's Lane
Sandiacre
Nottingham
NG10 5QG
If you do ask us to review our decisions and remain dissatisfied with the outcome you may complain to the Information Commissioner who can be contacted at
The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 4AF
We are also in receipt of your email of 9th December which we do not consider relevant to the way in which we have dealt with this matter since the deadline for our response to you is 24th December.
We should however point out that should you wish to use the information we have provided for any commercial purpose then the Regulations on the Re-use of Public Sector Information 2005 would apply in which case you are required to ask us for specific permission in relation to that information you wish to re-use which may or may not involve the issue of a licence and for which a fee may be levied.
