Commissioner’s Office (ICO) has issued NHS Surrey with a monetary penalty of £200,000 after more than 3,000 patient records were found on a second hand computer bought through an online auction site.
The sensitive information was inadvertently left on the computer and
sold by a data destruction company employed by NHS Surrey since March
2010 to wipe and destroy their old computer equipment. The company
carried out the service for free, with an agreement that they could sell
any salvageable materials after the hard drives had been securely
destroyed.
On 29 May 2012 NHS Surrey was contacted by a member of the public who
had recently bought a second-hand computer online and found that it
contained the details of patients’ treated by NHS Surrey. The
organisation collected the computer and found confidential sensitive
personal data and HR records, including patient records relating to
approximately 900 adults and 2000 children, on the device.
After being alerted to the problem, NHS Surrey managed to reclaim a
further 39 computers sold by the trading arm of their new data
destruction provider. Ten of these computers were found to have
previously belonged to NHS Surrey; three of which still contained
sensitive personal data.
The ICO’s investigation found that NHS Surrey had no contract in
place with their new provider, which clearly explained the provider’s
legal requirements under the Data Protection Act, and failed to observe
and monitor the data destruction process.
NHS Surrey mislaid the records of the equipment passed for
destruction between March 2010 and 10 February 2011, and was only able
to confirm that 1,570 computers were processed between 10 February 2011
and 28 May 2012. The data destruction company was unable to trace where
the computers ended up, or confirm how many might still contain personal
data.
The breach was one of the most serious that the ICO had seen, the data watchdog added.
NHS Surrey was alerted to the data loss by a member of the public who
had purchased an old NHS computer and found patient records.
No comments:
Post a Comment