WIREDGOV

Belfast Health and Social Care (BHSC) Trust has been served with a Civil Monetary Penalty (CMP) of £225,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) said this week.

The breach involved the sensitive personal data of thousands of patients and staff, and included medical records, X-rays, scans and lab results, and staff records including unopened payslips.

In April 2007 six local Trusts merged into the BHSC Trust. The merger resulted in the Trust taking on the management of more than 50 largely disused sites, including Belvoir Park Hospital.

In March 2010 the Trust was informed that trespassers had gained access to the Belvoir Park site and taken photos of a number of patient records before posting them online.

The Trust then carried out inspections of seven buildings at the hospital and a large quantity of patient and staff records were discovered, some dating back to the 1950s. However, some parts of the site were not inspected because they were either locked or inaccessible, due to concerns about asbestos contamination

While the Trust took action to improve the security of the site, including repairing damaged doors and windows, on 11 April 2011, the Irish News reported that it was still possible to access the site without authorisation. The Trust then increased the number of security guards on site and carried out a full inspection which revealed further records, many of which were being retained in breach of the Trust’s ‘Records Retention and Disposal’ policy. 

The Trust failed to report the situation at the Belvoir Park site to the ICO. The ICO’s investigation found that the Trust failed to keep the information secure and also to securely destroy medical documents which it no longer required. 

The ICO’s Assistant Commissioner for Northern Ireland, Ken Macdonald, said:

“The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised.

“The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the Internet.
 
“The Trust has therefore failed significantly in its duty to its patients, and we hope that the action we’ve taken sets an example for all organisations that they must keep personal data secure, irrespective of where they choose to store it.”

The Trust has now removed patient records from the site and examined them and either retained or securely disposed of them as required. A decommissioning policy has also been implemented by the Trust to ensure that personal information is securely destroyed once it is no longer needed. 

• View a copy of the BHSC Trust monetary penalty
• View all of our recent monetary penalty action 

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. Our press office page provides more information for journalists.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

5. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

6. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).