The Information Commissioner’s Office (ICO) has fined NHS Surrey £200,000 after more than 3,000 patient records were found on a second-hand computer bought through an online auction site.
The sensitive information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey since March 2010 to wipe and destroy old computer equipment. The company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed.
NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online
On 29 May 2012 NHS Surrey was contacted by a member of the public who had recently bought a second-hand computer online and found that it contained the details of patients treated by NHS Surrey. The organisation collected the computer and found confidential sensitive personal data and HR records, including patient records relating to approximately 900 adults and 2,000 children, on the device.
After being alerted to the problem, NHS Surrey managed to reclaim a further 39 computers sold by the trading arm of its new data destruction provider. Ten of these computers were found to have previously belonged to NHS Surrey; and three of which contained sensitive personal data.
The ICO’s investigation found that NHS Surrey had no contract in place with its new provider, which clearly explained the provider’s legal requirements under the Data Protection Act , and failed to observe and monitor the data destruction process.
NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.
This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free
Stephen Eckersley, ICO head of enforcement, said: “The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online.
“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free.”
NHS Surrey PCT was dissolved on 31 March 2013 as part of the healthcare reforms, with some of its legal responsibilities passing to the NHS Commissioning Board. The board will be required to pay the penalty amount by 22 July or serve a notice of appeal by 5pm on 19 July. The full penalty amount is eventually paid into the Treasury’s Consolidated Fund.
As a result of the breach the ICO has published guidance covering IT asset removal in line with the Data Protection Act. The seven-page guide offers advice on conducting risk assessments, identifying devices containing personal data, categorising data, using third party service providers, drawing up disposal contracts, and managing asset disposal.
To read the document, click here.
Organisations should not make disposal decisions purely based on the financial returns offered for their redundant IT equipment
Commenting on the case, Simon Harbridge, chief executive of Stone Group, IT manufacturer and solutions provider to the public sector, said: “Organisations should not make disposal decisions purely based on the financial returns offered for their redundant IT equipment.
“Ultimately, and legally, the responsibility rests with the organisation from whom the assets and data originated. While the responsibility for the security of the data is transferred to the disposal service provider on physical receipt, liability will still rest with the organisation if due diligence has not been applied in selecting that provider.
“Those looking for IT disposal services should ensure their chosen provider can demonstrate compliance with recognised security standards such as ADISA, ISO27001 and the data wiping/destruction methods employed are suitable for the classification of data and media type.”'>here.