The Information Commissioner’s Office (ICO) has issued NHS Surrey with a monetary penalty of £200,000 for failing to wipe patient details from decommissioned computers.
More than 3,000 patient records were found on a second-hand computer bought through an online auction site.
The sensitive information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey since March 2010 to dispose of old computer equipment.
The company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed.
In May 2012 a member of the public contacted NHS Surrey about the data found on a second-hand computer.
The trust collected the computer and found confidential sensitive personal data and HR records – including patient records relating to approximately 900 adults and 2,000 children – on the device.
After being alerted to the problem, NHS Surrey managed to reclaim a further 39 computers sold by the trading arm of its data destruction provider. Ten of these computers were found to have previously belonged to NHS Surrey, three of which still contained sensitive personal data.
The ICO’s investigation found that NHS Surrey had no contract in place which clearly explained the provider’s legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process.
Read more about IT disposal
- Unscrubbed hard drives a threat to business, says ICO
- Security firm Secarma recovers data from drives bought on eBay
- Smash old hard drives for total data security, says Which?
- How to securely dispose of data before server donation
- Vulnerabilities exposed during disposal of used computers
- More than a third of large UK firms use irresponsible IT disposal methods, study shows
NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012. The data destruction company was unable to trace the computers or confirm how many might still contain personal data.
“The facts of this breach are truly shocking,” said Stephen Eckersley, ICO head of enforcement.
NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted, he said.
“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free,” said Eckersley.
NHS Surrey was dissolved on 31 March 2013 with some of their legal responsibilities passing to the NHS Commissioning Board.
The board will be required to pay the penalty amount by 22 July or serve a notice of appeal by 5pm on 19 July.
The ICO has produced guidance explaining how old IT equipment containing personal information can be securely destroyed in compliance with the Data Protection Act.