Warwickshire-based company to revamp data protection following breach
A Warwickshire-based company has committed to taking action to protect personal data, following a breach of the Data Protection Act
A Warwickshire-based company has committed to taking action to protect personal data, following a breach of the Data Protection Act (DPA).
The breach occurred when a system used by Pharmacyrepublic Limited to record the medication handed out to around 2,000 patients was stolen from one of its premises, the Information Commissioner’s Office (ICO) said.
Pharmacyrepublic Limited contacted the ICO in September to report the theft of the Patient Medication Record (PMR) system.
The system contained details of the medicine handed out to patients at one of its pharmacies, and was stolen while the pharmacy was being transferred to another provider. The system was supplied by another firm and Pharmacyrepublic failed to ensure that the system was securely returned to the company before leaving the premises, the ICO said.
The ICO’s investigation found that the system, which was password protected, contained a limited amount of sensitive information relating to the medicine being administered to the pharmacy's patients. The system was used to identify any problems when multiple drugs were administered to the same patient. The data has not been recovered.
“It is important that companies have measures in place to keep personal information secure at all times," said Stephen Eckersley, the ICO’s head of enforcement.
If a company is vacating premises, it should ensure that any equipment used to store people's data is handled correctly, he said.
“This incident should act as a warning to all healthcare providers – your data protection obligations do not end while the personal information of your patients remains on site and in your control,” said Eckersley.
Pharmacyrepublic Limited has agreed to take action to keep the personal data it handles secure. This includes updating its procedures to ensure that PMR data is securely handled prior to any future transfer of ownership.
All staff will also be made aware of the company’s procedures for the safe storage and retrieval of personal data, and appropriately trained on how to follow these.