On 13 July 2022, Manx Care received a fine of £170,500 from the Isle of Man Information Commissioner, deferred until 31 December 2022 subject to strict adherence to compliance targets.
We acknowledge the significant failures outlined in the Enforcement Notice, which make for uncomfortable reading, and would like to offer our sincere and unreserved apologies to those individuals whose data was breached through no fault of their own. Regardless of the fact that this was neither malicious nor intentional, this will undoubtedly have caused distress to them, for which we are incredibly sorry. Quite simply, this should not have happened. We would like to assure members of the public that steps are being taken to bring Manx Care’s standards of compliance into line with those expected of the organisation. These are historical breaches, and it is important to note that all patients whose data was inadvertently disclosed were notified at the time, and an apology provided.
The information governance issues that Manx Care has experienced date back to 2020 when an Enforcement Notice was issued to what was then the Department for Health and Social Care (DHSC). This transferred over to Manx Care when the organisation launched on 01 April 2021, with two subsequent Enforcement Notices being issued in August 2021 and February 2022 for further, repeat compliance failures. During this period, the organisation had incredibly limited dedicated Information Governance or Data Protection resource in place to manage and mitigate its risks, and ensure that the patient data it held was managed in a safe, secure and compliant way. This was as a result of colleagues having been transferred into other roles as part of the Island’s response to the Covid-19 pandemic.
Earlier this year, an information governance review was commissioned from KPMG – in its capacity as the external partner appointed to support the delivery of the Island’s health and care transformation programme – and found that Manx Care had insufficient resource to meet its statutory compliance responsibilities in this area. Since then, Manx Care has invested in additional staffing to support a permanent Information Governance function, along with securing temporary resource and funding to support a continuous compliance and improvement programme that addresses the findings and recommendations outlined within the KPMG review.
In the short term, Manx Care is actively progressing a number of technical and organisational measures in order to mitigate further risk by addressing the most immediate risks quickly whilst a longer term programme is implemented, which will result in the organisation becoming a compliant one where information governance is at the forefront of our corporate agenda, supported by the policies, procedures and training required to achieve this. This will result in our ability to deal with data protection and information governance matters robustly, fully investigate and determine the root cause of any compliance issues, ensure appropriate steps are taken to further mitigate any risk, and effect a culture change across the organisation with regard to the secure management and processing of patient information.
Manx Care is very mindful of the impact that this will have in terms of public confidence in the services we provide, alongside the need for every single employee to fully understand their obligations concerning personal data protection and information governance. Data protection is fundamental to Manx Care’s operations. We are fully committed to minimising risk and any subsequent adverse impact suffered by patients and service users as a result of a data breach. We want patients, service users and members of the public to have confidence in the way we manage our information. The immediate technical and organisational measures currently being implemented are designed to improve decision-making, patient safety, quality and trust in Manx Care whilst the longer-term, sustainable changes that need to be made are effected. Data and information are vital assets, and fundamental in delivering excellent, safe, quality health and care services as part of Manx Care’s Mandate. We are committed to the actions we are implementing to improve trust and confidence in our services.
This enforcement has provided a stark and important warning to Manx Care about our current level of compliance with data protection legislation, and we hope that the public can be reassured around our future intent. Once again, we would like to take this opportunity to offer our sincere and unreserved apologies for the repeated failures and infringements that have occurred, and for the impact this will undoubtedly have had on those individuals whose data was breached through no fault of their own.