The data protection watchdog, the Information Commissioner’s Office (ICO) is reminding organisations of the importance of keeping paper records secure after it found two healthcare organisations in breach of the Data Protection Act for losing files.
NHS Liverpool Community Health breached the Data Protection Act (DPA) by losing papers relating to the medical history of 31 children and their birth mothers during a premises move in October last year. The ICO’s investigation found that NHS Liverpool had no formal contract in place with the removal company to handle personal data – a requirement of the Act – and had no process in place to ensure personal data was kept secure throughout the move. In a separate incident the ICO has also found the Council for Healthcare Regulatory Excellence (CHRE) in breach of the Act after the possible loss of documents from complaint review files containing sensitive personal data. However due to weaknesses in CHRE’s document recording, administration and communication processes the organisation cannot be certain if the information was ever received or whether it was subsequently lost or destroyed.
Acting Head of Enforcement, Sally Anne Poole, said: “These incidents highlight significant weaknesses in both organisations’ data handling procedures. While we are pleased that NHS Liverpool Community Health and CHRE have both agreed to review their existing security procedures and processes, these incidents should act as a warning to other organisations who handle sensitive papers of the need to make sure their paper records management processes are as robust as their electronic data systems. The protection of data in all formats must be taken seriously.”
Bernie Cuthel, Chief Executive of NHS Liverpool Community Health has signed a formal undertaking to ensure a written contract will always be in place with any third parties responsible for handling personal data on the organisation’s behalf and that clear policies and procedures will be put in place to support staff when moving office.
Harry Cayton, Chief Executive of the Council for Healthcare Regulatory Excellence (CHRE) has signed a formal undertaking ensuring that all future information containing personal data sent between the data controller and regulators is adequately protected.
A school in Oldham has been found in breach of the Data Protection Act after the theft of an unencrypted laptop from a teacher’s car, the Information Commissioner’s Office (ICO) said. The laptop contained personal information relating to 90 pupils at the school.
Freehold Community School reported the breach to the ICO in January after an unencrypted laptop was stolen from the boot of a teacher’s car when parked at their home overnight. The ICO’s enquiries found that the school was unaware of the need to encrypt portable and mobile storage devices, although it did have a policy in place informing staff that storage devices should not be kept in cars when away from the school premises.
Acting Head of Enforcement, Sally-Anne Poole said: “It is vitally important that organisations take the necessary precautions to ensure that people’s personal information remains secure. The fact that the school was unaware of the need to encrypt the information stored on their laptop shows that many organisations continue to process personal information without having the most basic of security measures in place.
“We are pleased that Freehold Community School has taken action to ensure that pupils’ personal information will be better protected in the future.” Joyce Willetts, Head Teacher, of Freehold Community School, has signed an undertaking to ensure that portable and mobile devices including laptops and other portable media used to store and transmit personal data are encrypted using encryption software which meets the current standard or equivalent. Staff will also be trained on how to follow the schools policy for the storage and use of personal data and the school has agreed that its policies on data protection and IT security issues will be appropriately and regularly monitored.
Meanwhile NHS Birmingham East and North breached the Data Protection Act by failing to restrict access to files on their IT network, the Information Commissioner’s Office (ICO) announced. The breach led to some NHS staff at their own Trust and two other NHS Trusts nearby potentially being able to access restricted information.
NHS Birmingham East and North reported the breach to the ICO in September last year after discovering that electronic files, stored on a shared network, were potentially accessible to their own employees and the employees of two other local Trusts. The files contained information relating to thousands of individuals, including members of staff. Although health records were not compromised as part of the breach, the files also contained some high level information relating to patients.
The ICO’s investigation has found that, while most of the files were not easily accessible and some security restrictions were in place, file security in general was inadequate. Acting Head of Enforcement, Sally-Anne Poole said: “It’s vitally important that IT networks storing personal information have robust security measures in place. Whilst nobody outside of the Trust environment was able to access the files, problems with the security of the network still led to a situation where sensitive information was potentially available to NHS staff that did not need it to carry out their daily role.”
Denise McLellan, Chief Executive of NHS Birmingham East and North, has signed an undertaking to ensure that adequate technical security measures are in place to prevent unauthorised access to personal data.
And Norwich City College breached the Data Protection Act by dumping sensitive personal information relating to around 80 students in a campus skip, the Information Commissioner’s Office (ICO) said today.
The college reported the incident to the ICO in February 2011. The students’ files, some of which included sensitive medical details, were found in unsecured bin bags ready for disposal. This was the second time the college disposed of personal information in this manner.
The ICO’s investigation found that although Norwich City College had adequate policies and procedures in place about the handling of personal information, they did not extend to the collection, storage and disposal of confidential waste.
Acting Head of Enforcement, Sally-Anne Poole said: “From the moment personal information is collected to the time it is securely destroyed, organisations have a legal responsibility to abide by the principles of the Data Protection Act. There is also a reputational risk for organisations with lax data protection practices.”
