Faith in the Test and Protect system could be undermined should data breaches like the one committed by NHS Orkney be repeated, Nicola Sturgeon has warned.
Ms Sturgeon was responding to questions after it was discovered more than 50 coronavirus test results were sent “in error” to a local business.
As well as details on positive tests, the names and addresses of patients were “inadvertently sent” in May.
Health Secretary Jeane Freeman said she understood the issue was likely the result of “human error” and a full investigation was to be conducted.
All of the patients affected have already been written to.
Full investigation
Lib Dem Orkney MSP Liam McArthur called the breach “serious” and those patients involved had “every right to feel let down”.
He said: “This is a serious breach, involving highly sensitive, personal data.
“Those directly affected have every right to feel let down, but there will be understandable and legitimate concerns felt more widely within Orkney as a result of what has happened.
“It is essential, therefore, that the matter is now fully investigated by the Information Commissioner’s Office and NHS Orkney so that lessons can be learned and urgent steps taken to avoid any repeat in future.”
Public trust
Ms Sturgeon said assuring the public they could trust their data would be held securely and privately was one of the most important aspects of the Test and Protect initiative and her government would do all it could to build trust in it.
She said: “Can I stress strongly the issues of security, privacy and data protection are taken very seriously within Test and Protect and will continue to be so.
“Any lessons applicable from the regrettable situation involving NHS Orkney will be transferred into the decisions around Test and Protect.
“Confidentiality, privacy, security – these are all principles at the heart of the system.
“Without assurances around these things then we will not be able to build the trust that we must build in this system for it to be effective.”
Ms Freeman added: “My understanding is this was a human error but we are investigating exactly what happened, identifying where, if there was, anything other than human error which needs to be addressed, that we address that.
“We will set that out and also ensure there is a check we, as human beings, handle this data to make sure that when an error is made it is picked up very early and, if necessary, intervened and addressed.
“We are investigating this just now with NHS Orkney, as soon as we are clear about the detail of exactly what happened and what steps are being taken to ensure it doesn’t happen again then we will set that out and be very clear about that.”
Highlands and Islands MSP Jamie Halcro Johnston said: “Patient confidentiality is absolutely fundamental to public trust in the system.
“If there is a loss of confidence because of breaches of this kind, then there is the risk that people may become reluctant to present to the NHS if they have symptoms.
“A full investigation is vital so that the public is reassured that there won’t be a repetition in the future.”
“Human error”
The breach has been submitted to the Information Commissioner’s Office, the public body responsible for investigating and maintaining data protection.
Julie Colquhoun, head of corporate services at NHS Orkney, said: “I can confirm that on May 15 data on 51 patients was sent to a local business in error.
“This data comprised patient names, addresses and the results of Covid-19 testing.
“Following investigation, it is clear this was an isolated case of administrative error.
“We have written to all the patients affected to make them aware of this incident and apologise to them. This has also been reported to the Information Commissioner’s Office.
“NHS Orkney takes the management of patient data extremely seriously and all staff have been reminded of the correct procedures to follow. I would like to take this opportunity to apologise again to those people affected.”
