ICO issues £100k fine after public body leaves data at former site

June 3, 2013

The Information Commissioner’s Office has handed out another six-figure fine after a second public body was found to have left sensitive records at a former site.

The ICO imposed a £100,000 monetary penalty after Stockport Primary Care Trust left personal data at a site it sold in 2011.

The PCT was dissolved on 31 March this year, with its legal responsibilities transferring to the NHS Commissioning Board.

The new owner of the site reported to the local council that boxes of waste had been left behind. The PCT was informed and found 1,000 documents containing a range of personal information.

The ICO said the information at the site – which was closed in 2010 – included details of miscarriages, child protection issues and a police report relating to a child’s death.

The case arose in part because different teams – the estates department and the relevant service department – each assumed that the other was conducting a final check.

The investigation found that there had been two previous security incidents where personal data had been left behind in secure buildings owned by the trust. However, senior management at the trust had not been informed of these cases.

The NHS Commissioning Board will be required to pay the penalty amount by 3 July or serve a notice of appeal by 5pm on 2 July.

In June 2012 Belfast Health and Social Care Trust was ordered to pay £225,000 after 100,000 paper medical records and 15,000 staff records were found at Belvoir Park Hospital.

The BHSC was created by the merger of six local trusts in April 2007 and took on the management of more than 50 largely disused sites. The Belvoir Park Hospital site had closed the previous year.

David Smith, Deputy Commissioner and Director of Data Protection at the ICO, said: “It’s crucial that organisations don’t take their eye off the ball when moving premises. This NHS trust’s efforts to keep its patients’ confidential records secure were completely undermined by its failure to properly decommission the premises it was leaving.

“The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we’ve served is both necessary and appropriate.”

Smith said the Stockport and Belfast cases highlighted the need for organisations to have effective decommissioning procedures in place and to make sure that these procedures were followed in practice.

A spokesman for the NHS Commissioning Board said: “We are aware of the notice from the office of Information Commissioner and are looking in to the details surrounding it but we must stress that this fine relates to an organisation that no longer exists.

“NHS England treats any issue relating to the integrity of patient confidently very seriously and will continue to work to ensure that all patient identifiable information is treated sensitively and handled in a proper manner”.

The spokesman said the board has no plans to appeal.