Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Aneurin Bevan

No NHS fines for breaching the Data Protection Act then two come along in quick succession

At the end of April the Information Commissioner’s Office fined The Aneurin Bevan Health Board for breaching the Data Protection Act and today they fined Central London Community Healthcare (CLCH) NHS Trust £90,000.

The CLCH breach first occurred in March 2011, after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions.

The ICO’s investigation found that the Trust failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient. The trust also failed to provide sufficient data protection guidance and training to the member of staff concerned.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying.”

Read the summary of the April fine “Information Commissioner finally fines the NHS for a breach of the Data Protection Act

.

Advertisements

Information Commissioner finally fines the NHS for a breach of the Data Protection Act

The Aneurin Bevan Health Board (ABHB) has become the first part of the NHS to be issued with a penalty (£70,000) for breaching the Data Protection Act.

The breach occurred when a consultant emailed a letter to a secretary for formatting, but did not include enough information for the secretary to identify the correct patient. The doctor also misspelt the name of the patient at one point, which led to the report being sent to a former patient with a very similar name.

The ICO’s investigation found that neither member of staff had received data protection training and that the organisation didn’t have adequate checks in place to ensure that personal information was sent to the correct person. These poor practices were also used by other clinical and secretarial staff across the organisation.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate. 

“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.

“We are pleased that the Health Board has now committed to taking action to address the problems highlighted by our investigation; however organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: