Patients details left abandoned in Stockport as ICO highlights need for better decommissioning practices

3 Jun 2013 11:29 AM

The Information Commissioner’s Office (ICO) has imposed a monetary penalty of £100,000 after the discovery of a large number of patient records at a site formerly owned by Stockport Primary Care Trust.

The information was uncovered when the site was bought in 2011 and the new owner reported that boxes of waste containing personal information had been left behind. The trust subsequently collected the information and found 1,000 documents including work diaries, letters, referral forms and patient records containing personal information. Some of the documents contained particularly sensitive data relating to 200 patients, including details of miscarriages, child protection issues and, in one case, a police report relating to the death of a child. 

The ICO’s investigation revealed two earlier security incidents where confidential and highly sensitive personal data had been left behind in secure buildings owned by the trust.

This latest breach follows a similar incident where a monetary penalty of £225,000 was served on Belfast Heath and Care Trust last year. In this incident approximately 100,000 paper medical records and 15,000 staff records were discovered at the former site of Belvoir Park Hospital.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“It’s crucial that organisations don’t take their eye off the ball when moving premises. This NHS trust’s efforts to keep its patients’ confidential records secure were completely undermined by its failure to properly decommission the premises it was leaving.

“The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we’ve served is both necessary and appropriate.

“In the last year we have served two six figure penalties on organisations that have left large volumes of personal information behind when leaving a site. These penalties highlight the need for organisations to have effective decommissioning procedures in place and to make absolutely sure that these procedures are followed in practice.”

Stockport PCT was dissolved on 31 March 2013 with their legal responsibilities passing to the NHS Commissioning Board. The board will be required to pay the penalty amount by 3 July or serve a notice of appeal by 5pm on 2 July. The full penalty amount is eventually paid into the Treasury’s Consolidated Fund. The ICO will also be speaking to NHS Stockport Clinical Commissioning Group to pass on the learning that should be taken from this incident. 

Top tips to help organisations moving premises include:

  1. Personal information is at particular risk when moving premises – make sure its security is a priority. All but one of our monetary penalties issued under the Data Protection Act in 2012/13 were for failing to keep information secure.
  2. Don’t assume anything. This breach happened because two departments each assumed that the other was conducting a final check that all records had been removed or transferred as required. Make sure it is clear who is responsible for what.
  3. Ensure records and equipment containing personal information are moved securely. Where personal information is being moved to other premises, make sure there is a secure means of moving the information and check that it has all been received safely.
  4. Dispose with care. If moving premises requires the disposal of files or computer hardware, make sure that this is done in a secure manner. Remember you are still responsible for what happens to personal data even after it has left through the back door.
  5. Learn from your mistakes. Stockport Primary Care Trust had suffered two similar incidents before this breach, but senior management hadn’t been informed. Put a policy in place to make sure that security incidents are reported and acted upon so that you learn from your mistakes.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

If you need more information, please contact the ICO press office on 0303 123 9070.