ICO hits NHS Surrey with £200,000 data breach fine
Data protection watchdog raps former NHS Trust for failing to dispose of old computer kit properly.
The Information Commissioner's Office (ICO) has fined a defunct NHS trust 200,000 after nearly 3,000 patient records were found on a computer bought from an online auction site.
NHS Surrey was abolished on 31 March 2013 and had given the device to a company who agreed to wipe it free of charge, although the organisation already had a data destruction arrangement in place with another firm.
The Trust struck a deal that allowed the firm to sell on any salvageable materials, once the device had been wiped and its hard drive securely destroyed.
However, in May 2012, a member of the public contacted NHS Surrey to report finding details of patients treated by the Trust on a second-hand computer they had bought online.
"The organisation collected the computer and found confidential sensitive personal data and HR records, including patient records relating to approximately 900 adults and 2000 children," said the ICO in a statement.
In light of this, the Trust made an effort to reclaim computers that had been sent for disposal. In total, it managed to get hold of 39 PCs, three of which still contained sensitive personal data.
In the wake of an ICO investigation, it was established that NHS Surrey had no contract in place with the new data destruction firm that formally set out how the information should be disposed of.
Further to this, it also came to light that NHS Surrey mislaid records containing details about IT equipment that had been earmarked for destruction between March 2010 and February 2011.
It did confirm that 1,570 computers were processed between 10 February and 28 May 2012, but the data destruction company was unable to trace where these devices had ended up.
Stephen Eckersley, head of enforcement at the ICO, said the data breach was among the most serious the data protection watchdog had ever seen.
"The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients' details to a company without checking that the information had been securely deleted. The result was that patients' information was effectively being sold online," he said.
"This breach is one of the most serious the ICO has witnessed and...we should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free."
Simon Harbridge, chief executive of system builder Stone Group, said the case should serve as a warning to end users about basing IT kit disposal decisions purely on financial returns.
"Those looking for IT disposal services should ensure their chosen provider can demonstrate compliance with recognised security standards such as ADISA, ISO27001 and the data wiping/destruction methods employed are suitable for the classification of data and media type. A visit to the provider's facilities should also be considered to verify the process and security," he added.
The definitive guide to warehouse efficiency
Get your free guide to creating efficiencies in the warehouseFree download
The total economic impact™ of Datto
Cost savings and business benefits of using Datto Integrated SolutionsDownload now
Three-step guide to modern customer experience
Support the critical role CX plays in your businessFree download
The global state of the channelDownload now