Sir - I am writing to express my concern about the lax use of NHS IT resources in Oxfordshire in relation to the requirements for confidential access to patient-identifiable data.

It is my understanding that one of the conditions that was agreed between the NHS national programme for IT and the medical profession in particular, was that there would be improved security when accessing electronic patient data.

This often entails the allocation of passwords to individual users, and different levels of access to information depending on the user and their role.

I have worked for five months for Oxfordshire Primary Care Trust and have the following observations:

  • Initially I was given a generic shared password to log on to the Oxfordshire-wide health network
  • I was told to use another person's network password for certain work (accessing the Open Exeter national NHS system), and was asked for my network password when I got one
  • I was given another user's password to log on to the Oxfordshire Child Health system
  • I was given another user's password to log on to the Open Exeter national NHS system
  • It appears that health visitors use generic network log-on passwords, and generic email accounts. From the above observations it seems to me that there is a long way to go to implement the recommendations for national NHS information technology.

I am writing this letter in the hope that exposing these issues will lead to an end to such practices.

I also feel a need to comment on these issues because from 1995 to 1997 I was the data strategy manager for the English NHS and was involved in the technical discussions with the BMA about data access and the NHS national data network, NHSnet.

Dr Leslie Clyne, Abingdon