After another NHS body * decides to ignore simple Data Protection guidelines the UK Information Commissioner has repeated his Top 5 Tips to help organisations improve their approach to Data Protection, especially those moving premises:
- Personal information is at particular risk when moving premises – make sure its security is a priority. All but one of our monetary penalties issued under the Data Protection Act in 2012/13 were for failing to keep information secure.
- Don’t assume anything. This breach happened because two departments each assumed that the other was conducting a final check that all records had been removed or transferred as required. Make sure it is clear who is responsible for what.
- Ensure records and equipment containing personal information are moved securely. Where personal information is being moved to other premises, make sure there is a secure means of moving the information and check that it has all been received safely.
- Dispose with care. If moving premises requires the disposal of files or computer hardware, make sure that this is done in a secure manner. Remember you are still responsible for what happens to personal data even after it has left through the back door.
- Learn from your mistakes. Stockport Primary Care Trust had suffered two similar incidents before this breach, but senior management hadn’t been informed. Put a policy in place to make sure that security incidents are reported and acted upon so that you learn from your mistakes.
* The NHS Commissioning Board was been fined £100,000 by the Information Commissioner’s Office (ICO) after the dissolved Stockport Primary Care Trust left around 1,000 documents including work diaries, letters, referral forms and patient records containing personal information. Some of the documents contained particularly sensitive data relating to 200 patients, including details of miscarriages, child protection issues and, in one case, a police report relating to the death of a child.
The size of the fine reflects the serious nature of the breach and the fact it was not the first time the organisation had “lost information”.
David Smith, Deputy Commissioner and Director of Data Protection, said about the Stockport fine:
It’s crucial that organisations don’t take their eye off the ball when moving premises. This NHS trust’s efforts to keep its patients’ confidential records secure were completely undermined by its failure to properly decommission the premises it was leaving.
The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we’ve served is both necessary and appropriate.
In the last year we have served two six figure penalties on organisations that have left large volumes of personal information behind when leaving a site. These penalties highlight the need for organisations to have effective decommissioning procedures in place and to make absolutely sure that these procedures are followed in practice