Summary and implications
The U.K. Information Commissioner's Office (the ICO) has imposed a fine of £100,000 on Stockport Primary Care Trust (Stockport PCT) for a serious breach of the Data Protection Act 1998. The fine shows the continued focus by the ICO on data protection compliance in the health sector.
What happened?
The fine, which was reported on 3 June 2013, followed the discovery of highly sensitive patient records left abandoned at a former site of Stockport PCT. The abandoned data related to some 200 patients and also included child protection records and, in one case, a police report regarding the death of a child.
The data was recovered when the site was purchased and the new owner found boxes of records left behind. This led to an ICO investigation which uncovered two earlier data protection incidents.
Stockport PCT was dissolved on 31 March 2013. As their legal responsibilities have been passed to the NHS Commissioning Board (the Board), the Board will be required to pay the fine. We understand that the ICO will also be talking to the NHS Stockport Clinical Commissioning Group to pass on a number of "lessons learned".
ICO focus on health sector
This latest fine follows hot on the heels of the announcement this spring (see our last briefing dated 23 April 2013) that the ICO were consulting on compulsory data protection audits for NHS services due to "significant compliance problems... within the NHS". Regular readers of our briefings will be aware that this is part of an ongoing focus by the ICO on data protection compliance in the health sector. Last year, the ICO imposed a series of record fines against various health sector organisations which were widely reported in the national news.
Recommendations
Health service providers, whether they are within the NHS or not, should take note of this latest fine and ensure that their data protection compliance programmes are robust and fully implemented. Critically, this not only means having adequate data protection policies but also regular audits to check that they are fully and effectively complied with. Data protection compliance needs to extend right through to decommissioning of services, the resulting destruction of personal data and the reporting and management of any data security incidents.
As David Smith, the Deputy Commissioner and Director of Data Protection commented:
"The highly sensitive nature of the documents left behind makes this mistake inexcusable and there can be no doubt that the penalty we've served is both necessary and appropriate... In the last year we have served two six figure penalties on organisations that have left large volumes of personal data when leaving a site. These penalties highlight the need for organisations to have effective decommissioning procedures in place and to make absolutely sure that these procedures are followed in practice."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.