GLD Vacancies

NHS trust gives undertaking after series of cases where patient data sent to incorrect addresses

The South West Yorkshire Partnership NHS Foundation Trust has given an undertaking to the Information Commissioner’s Office after a series of incidents where patient data was sent to incorrect addresses.

The ICO investigation discovered that although the Trust had issued ad hoc guidance to staff following each breach, this had not been formalised in any policy or procedure.

The investigation was launched after the ICO was informed on 19 July 2013 that the trust had disclosed a discharge letter relating to one patient to an unrelated third party.

The ICO then discovered that the two discharge letters both ended up in the same envelope, which had not been checked before it was sent.

The trust had a safe haven policy in place which included a section on posting information. However, it did not cover the need to check documentation containing personal data before it was sent (for any format).

The ICO was subsequently informed of four further similar incidents that occurred after the original incident.

“One incident involved a letter being sent to the wrong address following an address not being updated, two involved letters being sent to an address that had been incorrectly written or recorded, and one further case was almost identical to the first reported breach, in that a community treatment order for one individual was placed with a letter intended for another individual,” the undertaking revealed.

In terms of remedial action South West Yorkshire Partnership NHS Foundation Trust relied entirely on sending out details of the breaches to staff along with reminders of the need to check the content of correspondence and the address before sending.

The ICO noted that no disciplinary action had been taken, despite the trust considering that all of the incidents had occurred as a result of human error.

It also concluded that some of the investigations carried out by the trust had “not been particularly detailed”.

The trust has agreed to:

  • Ensure it updates its safe haven policy to provide guidance on checking the contents of correspondence before it is sent, for all methods of communication;
  • Ensure that the guidance provided on checking contact details on every contact is formalised in an appropriate policy;
  • Esnure that all security incidents involving personal data are thoroughly investigated, with any remedial actions and measures clearly established and given a timeframe for completion;
  • Implement such other security measures “as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage”.

A copy of the undertaking can be viewed here.

See also: Protecting patients, protecting patient data by Emma Godding.