Healthcare sector must do more to protect patient data, says ICO

October 4, 2011

The health sector must do more to protect sensitive patient data and ensure that workers implement key safeguards in practice, a senior official at the Information Commissioner’s Office will warn today.

The warning was to be delivered in a speech by Jonathan Bamford, Head of Strategic Liaison, to a healthcare conference in London as it emerged that two NHS trusts had signed undertakings following separate breaches of the Data Protection Act.

In the first case Dartford and Gravesham NHS Trust accidentally destroyed 10,000 archived records including medical information relating to patients’ previous treatment.

According to the ICO investigation, certain records held by Dartford and Gravesham should have been kept in a dedicated storage area, but were put in a disposal room due to lack of space.

The records were then mistakenly removed from the room and destroyed between 28 and 31 December 2010. The NHS Trust failed to realise that the information was missing for three months.

The watchdog said that the Trust had “been unable to establish how many of the records would have contained personal information - the majority of which would have been several years old”.

Some records included the names and addresses of former patients and some staff, and a limited amount of medical information relating to treatment.

“The Trust has confirmed that the loss of these records does not pose a clinical risk to data subjects affected by this incident,” the ICO said.

Dartford and Gravesham has signed an undertaking to ensure staff are made aware of data protection polices and procedures and that they receive suitable training on how to follow them. The Trust has also agreed to regularly monitor its staff to make sure policies are being correctly followed.

The ICO’s Acting Head of Enforcement, Sally Anne Poole, said: “Although the majority of information lost was several years old and only being kept for archiving purposes, there is no excuse for failing to keep it secure. The hospital should have ensured that the records were kept in a safe area – and, had they had adequate audit trails in place, they would have been able to keep track of where this information was at all times.”

In the second case, two diaries were stolen from the car of a nurse employed by Poole NHS Trust. The diaries contained information relating to the care of 240 midwifery patients, including their names, addresses and details of previous visits.

Poole has signed an undertaking to keep personal information secure, including making sure patient information is not left in unattended vehicles. It has also agreed that papers should only contain the minimum amount of data necessary, and to anonymise the information where possible.