NHS email encryption
Mark Lomas
ukcrypto at chiark.greenend.org.uk
Fri, 24 Aug 2007 15:27:03 +0100
------=_Part_19206_6111287.1187965623876
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 24/08/07, Dr Adrian Midgley (In the office) <amidgley2@defoam.net> wrote:
> From a PCT to its doctors etc
>
> "The reason for the new email address is to meet requirements of the
> Data Protection Act 1998 Principle 8 in line with the PCTs renewal of
> the Data Protection notification to the Information Commissioner. Any
> patient identifiable information sent from an ordinary email account (eg
> ekcpct.nhs.uk or gp-g80000.nhs.uk) is not fully encrypted and therefore
> open to interception and would constitute sending details outside the
> EEA. This is not considered acceptable practice and will be in breach of
> the Data Protection Act. nhs.net email accounts are encryption enabled,
> therefore a secure way to send and receive patient identifiable
> information."
>
>
> The new one is SSL to server, SSL from server to reader.
They could at least cite the correct principle.
Principle 7: Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal data.
Regards, Mark
------=_Part_19206_6111287.1187965623876
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<br><br>
<div><span class="gmail_quote">On 24/08/07, <b class="gmail_sendername">Dr Adrian Midgley (In the office)</b> <<a href="mailto:amidgley2@defoam.net">amidgley2@defoam.net</a>> wrote:</span></div>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">From a PCT to its doctors etc<br><br>"The reason for the new email address is to meet requirements of the
<br>Data Protection Act 1998 Principle 8 in line with the PCTs renewal of<br>the Data Protection notification to the Information Commissioner. Any<br>patient identifiable information sent from an ordinary email account (eg
<br><a href="http://ekcpct.nhs.uk">ekcpct.nhs.uk</a> or <a href="http://gp-g80000.nhs.uk">gp-g80000.nhs.uk</a>) is not fully encrypted and therefore<br>open to interception and would constitute sending details outside the
<br>EEA. This is not considered acceptable practice and will be in breach of<br>the Data Protection Act. <a href="http://nhs.net">nhs.net</a> email accounts are encryption enabled,<br>therefore a secure way to send and receive patient identifiable
<br>information."<br><br><br>The new one is SSL to server, SSL from server to reader.</blockquote>
<div> </div>
<div> </div>
<div>They could at least cite the correct principle.</div>
<blockquote dir="ltr" style="MARGIN-RIGHT: 0px">
<div>Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.</div>
</blockquote>
<div>Regards, Mark<br> </div>
------=_Part_19206_6111287.1187965623876--