Information Commissioner's Office
Printable version E-mail this to a friend

Scottish health board ordered to improve after people’s details left abandoned

The Information Commissioner’s Office (ICO) has ordered Grampian Health Board (NHS Grampian) to take action to make sure patients’ information is better protected. 

The warning comes after six data breaches within a thirteen month period where papers containing sensitive personal data were left abandoned in public areas of the hospital and one case where the information was found at a local supermarket. All of the papers were returned to staff, with the final incident occurring on 28 March 2014.

The ICO’s investigation found the same mistakes continued to occur because NHS Grampian didn’t have an information register identifying the personal information held and the department responsible for looking after it. This gap in their procedures resulted in the organisation failing to take sufficient remedial action. The ICO previously alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act.

ICO Assistant Commissioner for Scotland, Ken Macdonald, said:

“It’s a fundamental requirement of the Data Protection Act that organisations understand what personal information they hold and who is responsible for looking after it on a day-to-day basis. NHS Grampian failed to do this despite committing to addressing this problem when our office highlighted it as an issue during an audit three years ago.
“We hope this enforcement notice gives the organisation a further chance to put their house in order and look after the information of the people they serve. Failure to comply with the notice is a criminal offence. In addition, if any further breaches occur, we do not rule out taking further regulatory action, including fining the organisation up to £500,000.”

The ICO’s enforcement notice requires the organisation to produce a high level information asset register by 22 June 2015. The register must explain which areas of the organisation are responsible for keeping the personal information they handle secure. NHS Grampian must provide a progress report showing how these improvements are being made by 31 March 2015, and confirm completion by 29 June 2015.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on TwitterFacebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. If you need more information, please contact the ICO press office on 0303 123 9070


Latest News from
Information Commissioner's Office

Download this insightful inforgraphic now...