Edinburgh Napier University

  The introduction of Information Governance throughout the NHS in Great Britain from 2004 onwards, saw Pri-mary Care Medicine subject to a regulatory regime aligning current practice with codes, ethics, legislation and standards. However the Information Commissioners Office, as regulator of Healthcare Data Controllers, has issued statu-tory Undertakings to stem the tide of continued leakage of sensitive health data. Drawing on research from America, the issue of IT Security Risk is presented as problematic given the limitations of surveys indentifying industry trends and is viewed beyond the traditional Threat Value Asset Matrix towards a framework incorporating the reasonable man –taking all due care and diligence as is reasonably practicable in the circumstances. Following the identification of major problems across 10% of English general practices in comply-ing with both Confidentiality and Data Protection Assurance, and Information Security Assurance, a national survey of GP Practices was undertaken to investigate security incidents and risk. Contemporaneous to this, information on reported unto-ward security incidents was obtained from the regulator and all Health Boards across Scotland. Together, these results identified actual risk to securing patient data and concerns voiced from within the sector. This may be of relevance to practitioners, managers as well as policy makers particularly where changes to the structure of the NHS are proposed.