Information Commissioner's Office
Garages, new homes and old offices: the records management mistakes that put health records at risk
Blog posted by: Leanne Doherty, Group Manager, 29 March 2017.
When Cabinet Office Minister Ben Gummer announced the government was spending £1.9bn on UK cyber security, he highlighted health data as needing strong protection.
But while money is (rightly) invested in hi-tech cyber security solutions in the health sector, our experience is that data breaches in the sector are often caused by far more basic mistakes.
Indeed, a quick look through the health cases seen by the ICO enforcement team suggests work to do around garages and decommissioning as well as gigabytes and denial of service attacks.
We’re all guilty of keeping things we don’t need in the back of the garage, but we’ve seen a surprising number of cases of health records being left among the half tins of paint and old furniture.
In Hertfordshire several boxes of documents relating to a care home were found in a derelict garage, including staff details, medication and other personal and sensitive personal data.
While late last year we had a similar case, but this time with old care home records found in a loft.
Having proper records tracking in place would have helped the care homes to realise records were missing, and be able to do something about it in a far more timely fashion. There’s top tips on record tracking as part of our new health resources.
You might think that sensitive paperwork would be near the top of the list of things to securely transport to a new home, but the examples we’ve seen suggest otherwise.
Take the locum doctor who took patient information home, and left it there when she moved house. The information included 11 pages of ward handover sheets including details of nearly 50 patients.
Or the case where the ICO was contacted by someone who’d found highly sensitive and confidential medical records left behind by a consultant anaesthetist. The previous owner had instructed a removal company to pack and remove everything and was unaware of any issue until contacted by the ICO.
The doctor had been sent the data in his capacity as a medical expert, but was given no advice about data security or retention schedules.
There’s a clear point about information being taken off site here. Our new health resources include posters reminding staff of the importance of seeing the value of personal data before taking it out of the office.
Leaving records behind is a trend when moving offices too. Only last week the ICO issued a fine to Norfolk County Council who’d left social care files in an old filing cabinet, which had found its way to a second hand shop.
It was a similar case in Staffordshire, when a Trust moved to a new premises, but left behind details from more than a thousand patient records, containing sensitive information
Fortunately the records were safely recovered from a locked room, but that didn’t prevent the Trust’s embarrassment, with a local newspaper story headlined “Private NHS files on vulnerable patients left in old centre”.
Again, better records tracking would have shown the trust the records were missing. There’s a video demonstrating the importance of records tracking to staff on our health resources page.
Latest News from
Information Commissioner's Office
Blog: The Data Protection Fee: does your company need to pay?04/12/2019 10:10:10
Blog posted by: Paul Arnold, Deputy Chief Executive Officer/Executive Officer, 03 December 2019.
Blog: ICO and The Alan Turing Institute open consultation on first piece of AI guidance03/12/2019 09:10:00
A blog aimed at data scientists, app developers, business owners, CEOs or data protection practitioners, whose organisations are using, or thinking about using, artificial intelligence (AI) to support, or to make, decisions about individuals, by Simon McDougall, Executive Director Technology and Innovation (02 December 2019).
ICO Deputy Commissioner appointed OECD working party chair28/11/2019 09:10:00
The ICO’s Steve Wood has been appointed as chair of the OECD’s Working Party on Data Governance and Privacy.
ICO submits Age Appropriate Design Code of Practice to government22/11/2019 15:25:00
The Information Commissioner has today (Friday 22 November) submitted the final version of the Age Appropriate Design Code of Practice to the Secretary of State in accordance with the statutory deadline.
Blog: Data ethics and the digital economy19/11/2019 09:10:00
Blog posted by: Simon McDougall, Executive Director – Technology Policy and Innovation, ICO, 18 November 2019.
Blog: Why special category personal data needs to be handled even more carefully15/11/2019 09:10:00
Blog posted by: Ian Hulme, Director for Regulatory Assurance, 14 November 2019.
ICO call for views on the application for powers under the Proceeds of Crime Act11/11/2019 09:10:00
The Information Commissioner invites views on her office being granted access to investigation and other associated powers under the Proceeds of Crime Act 2002 (POCA).
Information Commissioner reminds political parties they must comply with the law ahead of General Election06/11/2019 09:10:00
The Information Commissioner has sent the following letter to the political parties in relation to the use of data in political campaigning.