GLD Vacancies

NHS trust gives undertaking to ICO after repeated errors in faxing patient data

An NHS trust has given the Information Commissioner’s Office an undertaking to improve the way it handles patients’ information, after it mistakenly sent five faxes about the care of several patients to a member of the public.

The faxes sent by staff at the Northumbria Healthcare NHS Foundation Trust should have gone to a social care team working at the trust but the wrong number was dialled.

The trust had taken action after the first incident in March 2014, by making sure its fax machines were only able to send information to pre-programmed numbers belonging to organisations working in the health service. However, these measures were not adopted across all wards.

Four further faxes containing patient identifiable data were sent to the same person in May 2014.

An ICO investigation found that:

  • There was a lack of urgency on the part of the trust in addressing, managing and recovering the fax disclosures.
  • Despite the faxes being sent from several different wards, not all wards were instructed to take action following the incidents and there was no attempt to retrieve the faxed documents immediately.
  • The trust was "fortunate in that the unintended recipient did not own a fax machine at the point at which the initial faxes were sent. As such, the first faxes were not actually received." The unintended receipt later obtained a fax machine in order to determine where the communications to his line were originating from. At that point decipherable data was actually disclosed.
  • There was no attempt to check if the fax machines on all wards had been reprogrammed with pre-selected numbers and no timescales were put in place to check if the re-programmed numbers were correct. “Seeing as faxes are sent multiple times throughout the day from numerous wards the measures and controls introduced were not considered to be sufficient on a wider organisational scale.”

In the undertaking, which can be viewed here, Northumbria Healthcare NHS Foundation Trust has agreed to introduce clear procedures so that any data breaches reported to the trust are acted upon promptly and remedial measures are introduced across the organisation.

It has also committed to adopting fax procedures, including the use of pre-programmed numbers to avoid mistakes, across all wards to ensure adequate security standards are maintained.

The trust has undertaken to make these improvements by 30 October 2015.

ICO Head of Enforcement Stephen Eckersley said: "Many people will be surprised that we are still having to warn organisations about their use of fax machines.

“There are certainly more secure ways to send information, but if an organisation decides that a document must be sent in this way then they should have adequate measures in place to make sure the information is actually sent to the correct person. These measures must be adopted across all areas of the organisation.”