ICO Fines NHS Surrey

In July, the Information Commissioner’s Office (the ICO) fined NHS Surrey £200,000 as a result of NHS Surrey providing at least 1,570 computers with hard drives containing personal data to a contractor for erasure/destruction without properly monitoring the contractor.  The contractor was permitted to sell on the computer hardware after having securely erased the personal data.  However, it appears that (in at least some cases) this was never done.

The issue came to light when a member of the public bought a second-hand computer online and discovered that it still contained about 3,000 patients’ details.  When the ICO looked into the matter, it discovered that NHS Surrey didn’t have a contract in place with the erasure/destruction contractor and had failed to monitor whether the contractor was in fact erasing the personal data.

The ICO’s Stephen Eckersley said, “The facts of this breach are truly shocking.  NHS Surrey…handed over thousands of patients’ details to a company without checking that the information had been securely deleted…This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case…”

This decision again highlights the need to ensure that appropriate processes have been implemented so as to ensure compliance with the Data Protection Act.  Guidance from the ICO about the secure destruction of old IT equipment that contains personal data is available from ICO.

If you need to confirm that you’re acting in compliance with your obligations under the Data Protection Act, Briffa offers audits to identify issues and can advise/assist with developing systems and processes that will ensure compliance.  In some cases, we can also act as outsourced data protection officers.  Should you have any queries about data protection, call one of our data protection experts on 0207 288 6003 or email us at INFO.

Menu