Although it is largely expected that Internet giants like Facebook deal rapaciously with users’ personal data, it is astonishing that a publicly funded institution such as the NHS should decide to ignore the recommendations of its own CIO on the basis that securing the NHS and the valuable and highly sensitive personal data that it processes is apparently not worth the £800 million to £1 billion investment necessary to fix the inadequacies of previous years and to maintain an appropriate level of security in future.
Whatever the investment, that cost will be increased by the level of GDPR-related fines that will undoubtedly be levied on the NHS – following which the investment will still have to be made, but by then probably under legal compulsion. It’s not as though the NHS doesn’t have a long history of being fined for breaches of the DPA 1998…
It amazes me that a public institution such as the NHS should consider it acceptable to take an even more blasé attitude to data security than do those private-sector organisations whose misdemeanours are so often the headline du jour.