Out-Law News 2 min. read
06 Oct 2011, 1:04 pm
Dartford and Gravesham NHS Trust stored the records in a waste-disposal room on a hospital ward after "dedicated storage areas" became temporarily unavailable, the Information Commissioner's Office (ICO) said. The records were not returned to proper storage and were probably destroyed between 28 and 31 December last year, it said.
The Trust failed to spot that the records were missing for three months and have been forced to sign undertakings under the UK's Data Protection Act to improve its policies, practices and training of staff, the ICO said.
Most of the records are believed to be several years old but at least some are thought to have contained personal data about patients and staff, including names, addresses and information about medical treatments, the watchdog said.
"[The Trust] advised the Commissioner that its records management policy required the records to be stored on the wards; however, at the time of the incident, dedicated storage areas were temporarily unavailable," according to the Trust's undertakings. (Click through for 3-page / 29KB PDF on Dartford and Gravesham NHS Trust undertakings)
"As a stop-gap, boxes containing the records were kept in a ward waste-disposal room. The intention was to relocate the records once storage areas were accessible. Unfortunately, this did not happen and in the Trust’s view it is likely that the boxes containing the records were removed and securely destroyed. In the absence of a clear and documented audit trial the Trust has been unable to ascertain the likely date of destruction. For the same reason, the Trust is also unable to specify how many records contained personal and sensitive personal data," the undertakings said.
Under the Data Protection Act organisations responsible for holding personal data must secure it from "unauthorised or unlawful processing ... and against accidental loss or destruction of, or damage to, personal data".
The DPA also defines "sensitive personal data" as including personal data relating to an individual's "physical or mental health or condition". Because information about such matters could be used in a discriminatory way, and is likely to be of a private nature, it must be treated with greater care than other personal data, the ICO has said in guidance on sensitive personal data.
Dartford and Gravesham NHS Trust must make sure staff are aware of its policies on storing personal data and are "appropriately trained" to carry out the policy, the undertakings said.
The Trust must also regularly monitor compliance with its data protection and personal data policies and "implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful process, accidental loss, destruction, and/or damage".
If personal or sensitive personal data is to be destroyed it must be carried out in line with the Trust's "policies and procedures".
"Although the majority of information lost was several years old and only being kept for archiving purposes, there is no excuse for failing to keep it secure," said Sally Anne Poole, acting head of enforcement at the ICO.
"The hospital should have ensured that the records were kept in a safe area – and, had they had adequate audit trails in place, they would have been able to keep track of where this information was at all times," she said.
Poole NHS Trust have also signed undertakings to keep personal information it is in charge more secure after two diaries containing the names, addresses and visiting details of 240 midwifery patients were stolen from a nurse's car, the ICO said.
The Poole NHS Trust has committed to keeping "personal information it uses secure, includes making sure patient information is not left in unattended vehicles and that papers only contain the minimum amount of data necessary" and will also "anonymise information where possible," the ICO said.