Two UK healthcare bodies have received serious warnings from the Information Commissioner’s Office after the mishandling of paper records led to breaches of the Data Protection Act. NHS Liverpool Community Health lost papers relating to the medical history of 31 children and their mothers when they moved premises in October 2010. After a full investigation, the ICO ruled that NHS Liverpool had failed to enter into a contract with the removal company to organise the handling of personal data. In addition, no processes had been created to ensure the data being moved was secure.
In an unrelated incident, the Council for Healthcare Regulatory Excellence (CHRE) were also found to be in breach of the Data Protection Act after a possible loss of documents from complaint review files, which contained sensitive personal data. The ICO was particularly unimpressed that due to the data management failings of the CHRE, they had no idea whether the data had fallen into the wrong hands, been lost or destroyed.
Sally Anne Poole, enforcement head at the ICO, said:
"These incidents highlight significant weaknesses in both organisations' data handling procedures. These incidents should act as a warning to other organisations who handle sensitive papers of the need to make sure their paper records management processes are as robust as their electronic data systems. The protection of data in all formats must be taken seriously."
Bernie Cuthel, the chief executive of NHS Liverpool, has signed a formal undertaking stating they will ensure written contracts are always in place with third parties responsible for the handling of personal data in future. Staff will also receive additional training on how to keep information secure when moving offices.
Harry Cayton, chief executive of the CHRE, has also signed an undertaking with the ICO, assuring them that all future information containing personal data sent between the data controller and regulators will be adequately protected.
We entrust health bodies such as these with some of the most personal and private data that exists about us, our medical histories, and we expect them to take their protection far more seriously in the future. These undertakings must be acted upon, and the ICO should monitor the behaviour of these organisations to ensure mistakes such as these do not happen again.