Information Commissioner's Office
Printable version E-mail this to a friend

Fax blunder leads to £55,000 penalty for Staffordshire trust

The Information Commissioner’s Office (ICO) has issued a monetary penalty of £55,000 to North Staffordshire Combined Healthcare NHS Trust. The penalty follows a serious breach of the Data Protection Act which resulted in sensitive medical details of three patients being sent to a member of the public.

The details were released between August and September 2011 when three separate faxes, which should have been faxed to the trust’s Wellbeing Centre, were sent to the same member of the public.

The error was caused by the fax number for the centre being incorrectly dialled each time. The trust was eventually alerted to the problem after receiving a letter from the recipient.

The Wellbeing Centre was responsible for providing psychological therapies for the trust. The information disclosed included confidential and highly sensitive information, including the patients’ names, addresses, medical histories, and details of their physical and mental health.

The ICO’s investigation found that while the trust had published best practice guidance which required staff to ‘phone ahead’ to make sure faxes were being sent to the right address and had been successfully received, this guidance had not been communicated to the staff involved and they had received no specific training on the secure use of fax machines.

ICO Enforcement Group Manager, Sally Anne Poole, said:

“Let’s make no mistake, this breach was entirely avoidable. One phone call ahead to the trust’s Wellbeing Centre would have alerted its staff to the fact that the number they were entering was incorrect. This would have stopped highly sensitive information about the care of vulnerable people being sent to a member of the public on three separate occasions.

“This case should act as a warning to all organisations that routinely send out sensitive personal information by fax. Make sure you have appropriate procedures and controls in place, so that errors can be spotted before it is too late.”

The ICO's guidance on the secure use of fax machines advises that organisations sending personal information by fax should:

  1. Consider whether sending the information by a means other than fax is more appropriate, such as using a courier service or secure email. Make sure you only send the information that is required. For example, if a solicitor asks you to forward a statement, send only the statement specifically asked for, not all statements available on the file.
  2. Make sure you double check the fax number you are using. It is best to dial from a directory of previously verified numbers.
  3. Check that you are sending a fax to a recipient with adequate security measures in place. For example, your fax should not be left uncollected in an open plan office.
  4. If the fax is sensitive, ask the recipient to confirm that they are at the fax machine, they are ready to receive the document, and there is sufficient paper in the machine.
  5. Ring up or email to make sure the whole document has been received safely.
  6. Use a cover sheet. This will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO regulates the Data Protection Act 1998, the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004.

3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure 
  • Not transferred to other countries without adequate protection

4. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

5. If you need more information, please contact the ICO press office on 0303 123 9070.

Click here to download this latest guide!