Two New Monetary Penalties Imposed

June 4, 2013

Patients’ Details Abandoned

The first monetary penalty, revealed by the ICO on 3 June, concerned patients’ records that were left behind when a hospital was decommissioned. The penalty of £100,000 followed the discovery of a large number of patient records at a site formerly owned by Stockport Primary Care Trust.

The information was uncovered when the site was bought in 2011 and the new owner reported that boxes of waste containing personal information had been left behind. The trust subsequently collected the information and found 1,000 documents including work diaries, letters, referral forms and patient records containing personal information. Some of the documents contained particularly sensitive data relating to 200 patients, including details of miscarriages, child protection issues and, in one case, a police report relating to the death of a child. 

The ICO’s investigation revealed two earlier security incidents where confidential and highly sensitive personal data had been left behind in secure buildings owned by the trust.

This breach followed a similar incident where a monetary penalty of £225,000 was served on Belfast Heath and Care Trust last year. In this incident approximately 100,000 paper medical records and 15,000 staff records were discovered at the former site of Belvoir Park Hospital.

David Smith, Deputy Commissioner and Director of Data Protection, said:

‘It’s crucial that organisations don’t take their eye off the ball when moving premises. This NHS trust’s efforts to keep its patients’ confidential records secure were completely undermined by its failure to properly decommission the premises it was leaving. The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we’ve served is both necessary and appropriate. In the last year we have served two six figure penalties on organisations that have left large volumes of personal information behind when leaving a site. These penalties highlight the need for organisations to have effective decommissioning procedures in place and to make absolutely sure that these procedures are followed in practice.’

Stockport PCT was dissolved on 31 March 2013 with their legal responsibilities passing to the NHS Commissioning Board. The board will be required to pay the penalty amount by 3 July or serve a notice of appeal by 5pm on 2 July.

The ICO report on the penalty includes useful advice for those with responsibility for sensitive data who are moving premises.

Adoptive Parents’ Details Mistakenly Sent to Birth Family

On 5 June, the ICO revealed that a monetary penalty of £70,000 had been served on Halton Borough Council in Cheshire following a serious breach of the Data Protection Act.

The breach occurred on 25 May last year when a council employee sent a letter about an adopted child to the birth mother, and mistakenly included a covering letter giving details of the adoptive parents’ home address. The birth mother passed this information to her parents who had been trying to obtain access to their grandchild. Subsequently they wrote to the adoptive parents seeking contact.

At the time of the breach the employee involved was under the impression that adequate checks had already been carried out and the correspondence was simply for filing and distribution.

The ICO’s investigation concluded that the breach was caused by Halton Borough Council’s underlying failure to have a clear policy and process for checking such correspondence, and relevant training for their staff.

Steve Eckersley, ICO Head of Enforcement, said:

‘It would be easy to dismiss this as a simple case of human error. The reality is that this incident happened because the organisation did not pay enough attention to how it handles vulnerable people’s sensitive information, leading to a mistake that was entirely avoidable had the right guidance and training been in place. The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that.’

Since the breach, Halton Borough Council has implemented a clear checklist of requirements before such correspondence can be distributed, together with a peer-checking process for work carried out by their staff.