Watchdog raps ambulance service for sharing data with CCG without legal basis

An ambulance service NHS trust has given an undertaking to the Information Commissioner’s Office after it shared patient data with a clinical commissioning group (CCG) without there being a legal basis to do so.

In October 2013 the South Western Ambulance Service NHS Trust (SWAST) shared seven discs holding descriptive patient data on 45,431 data subjects with the CCG.

The discs were safely received intact, but whilst in the possession of the CCG, it was found that the discs were not encrypted.

“Although the discs were sent via recorded delivery to a named member of staff, this presented a potential security risk,” the undertaking, which can be viewed here, said.

“It also was found that there was no record of the senior member of staff at SWAST, who was responsible for the exchange, of having completed any information governance training. The monitoring of staff training requirements in respect to data protection was therefore seen to be lacking.”

The ICO, as part of the investigation, queried the legal basis on which the data was provided to the CCG.

“It was determined that there was no justifiable legal reason for the CCG to access the patient data as well as there being no information sharing agreement in place,” the undertaking said.

“It was further found that additional data fields had been requested by the CCG which were not properly considered, risking the potential of providing excessive information.”

The chief executive of the trust has signed an undertaking to comply with the first, third and seventh data protection principles. This includes the completion of a privacy impact assessment in respect of data sharing.