Wednesday 13 Apr 2011 @ 10:01
WiredGov Newswire (news from other organisations)
Printable version E-mail this to a friend

Paper records management systems need to be more robust, ICO warns

The ICO is reminding organisations of the importance of keeping paper records secure after it found two healthcare organisations in breach of the Data Protection Act for losing files.

NHS Liverpool Community Health breached the Data Protection Act (DPA) by losing papers relating to the medical history of 31 children and their birth mothers during a premises move in October last year. The ICO’s investigation found that NHS Liverpool had no formal contract in place with the removal company to handle personal data - a requirement of the Act - and had no process in place to ensure personal data was kept secure throughout the move.

In a separate incident the ICO has also found the Council for Healthcare Regulatory Excellence (CHRE) in breach of the Act after the possible loss of documents from complaint review files containing sensitive personal data. However due to weaknesses in CHRE’s document recording, administration and communication processes the organisation cannot be certain if the information was ever received or whether it was subsequently lost or destroyed.


Acting Head of Enforcement, Sally Anne Poole, said:

“These incidents highlight significant weaknesses in both organisations’ data handling procedures. While we are pleased that NHS Liverpool Community Health and CHRE have both agreed to review their existing security procedures and processes, these incidents should act as a warning to other organisations who handle sensitive papers of the need to make sure their paper records management processes are as robust as their electronic data systems. The protection of data in all formats must be taken seriously.”

Bernie Cuthel, Chief Executive of NHS Liverpool Community Health has signed a formal undertaking to ensure a written contract will always be in place with any third parties responsible for handling personal data on the organisation’s behalf and that clear policies and procedures will be put in place to support staff when moving office.

Harry Cayton, Chief Executive of the Council for Healthcare Regulatory Excellence (CHRE) has signed a formal undertaking ensuring that all future information containing personal data sent between the data controller and regulators is adequately protected and that the authority’s existing pilot system for the logging and filing of documentation is implemented permanently, along with any improvements to the system uncovered during the trialling phase.

Full copies of both undertakings can be viewed here: http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings

If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at: www.ico.gov.uk.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. Our For the media page provides more information for journalists.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed

• Processed for limited purposes

• Adequate, relevant and not excessive

• Accurate and up to date • Not kept for longer than is necessary

• Processed in line with your rights • Secure

• Not transferred to other countries without adequate protection

Recruiters Handbook: Download now and take the first steps towards developing a more diverse, equitable, and inclusive organisation.