Winchester Vacancies

NHS Trust loses data on 1.6m people after sending filing cabinet to landfill

An NHS Trust lost personal data relating to approximately 1.6m people after a filing cabinet containing a key CD was sent to landfill, it has emerged.

Eastern and Coastal Kent Primary Care Trust disposed of the cabinet during a move of office premises. The CD held the address, date of birth, NHS number and GP practice code for the individuals concerned.

An undertaking posted on the Information Commissioner’s Office website reveals that when the office move was being planned, the security of the CD was considered and it was felt appropriate to store it in the cabinet.

“Although communication was established with the project manager co-ordinating the move, the existence of the CD was not communicated leading to the disposal of the filing cabinet,” the ICO said.

The watchdog said the team involved were not up to date with their information governance training and had not accessed relevant guidance on how to dispose of the CD.

Eastern and Coastal Kent PCT attempted to retrieve the cabinet when it was discovered to be missing, but it had already gone to landfill and could not be recovered.

The PCT’s chief executive, Ann Sutton, has signed an undertaking but the Trust will not have to pay a monetary penalty. “It has been noted that the data controller has taken substantial remedial measures to prevent the reoccurrence of such an incident,” the ICO said.

Eastern and Coastal Kent PCT has agreed to ensure that personal data is processed in accordance with the Seventh Data Protection Principle in Part 1 of Schedule 1 to the Data Protection Act. It has agreed in particular that:

  • Clear policies and procedures will be put in place to support staff when moving offices and these are communicated to all relevant staff in order to follow these procedures in all future cases
  • It will ensure that information governance training is provided to all relevant staff as necessary
  • Information governance training will “ensure that staff are aware of the data controller’s policy for the retention, storage and use of personal data and how to follow that policy correctly”
  • It will implement such other security measures “as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage”.

In a statement Sutton said the PCT accepted the Information Commissioner's report on the incident in March 2011.

“We have already strengthened our Information Governance policies, procedures and training on the basis of our internal investigation of the incident. The Information Commissioner's recommendations to improve them further will be implemented fully,” she said.

"While the breach was unfortunate, I would like to reassure patients that the data stored in the filing cabinet was not current - the most recent information was from 2002. There was no clinical data involved and the data is beyond retrieval.”

Sutton added: "It is important to stress that information systems now are far more secure than they were at the time these files were produced - we no longer store information on floppy disks or CDs and use sophisticated systems of encryption.

"We have carried out our own thorough investigation into the incident and produced a comprehensive set of recommendations and learning points which are already being implemented.”

An ICO spokesman said: “While there is no evidence to suggest that any of the data was accessed this case highlights that clear policies and procedures should be put in place to support staff when handling personal information as part of an office move. These policies should be communicated to all relevant staff.

“We are pleased that Eastern and Coastal Primary Care Trust has now taken action to make sure that the personal information they handle is kept secure.”

Philip Hoult

See also: Privacy Matters