NHS Camden rapped by ICO
- 25 March 2009
The Information Commissioner’s Office has taken enforcement action against NHS Camden for breaching the Data Protection Act.
The ICO has served the primary care trust with an enforcement notice for failing to dispose of a number of computers properly.
Redundant, unencrypted computers holding the names, addresses and medical diagnoses of 2,500 individuals were left beside a skip in the grounds of St Pancras Hospital in August 2008. They were there for at least 13 days, but subsequently disappeared and were never recovered.
The PCT launched a serious untoward incident investigation, which recommended that it should take a number of steps, including the encryption of computers and mobile devices and the establishment of robust asset and decommissioning registers.
However, assistant information commissioner Mick Gorrill expressed frustration about the number of enforcement notices that his office is having to issue against health bodies.
Camden is the ninth NHS organisation since November to be issued with an enforcement notice. Two PCTs were issued with notices last month, following the thefts of laptops holding personal details.
“Individuals must feel confident that their personal records will be handled properly by NHS bodies,” said Gorrill. “Over 2,500 individuals have suffered anxiety as the result of [the Camden] breach, with the worry that their medical records could fall into the wrong hands.
“I am increasingly concerned about the way that some NHS organisations dispose of sensitive patient information. Organisations need to ensure they implement appropriate safeguards to ensure personal details are disposed of in accordance with the Data Protection Act.”
NHS Camden has signed an undertaking that it will ensure all personal information is removed from computers as soon as they are decommissioned, and that it will give effect to the recommendations of its own SUI panel.
It must update the ICO on its progress by the end of March. Failure to comply with the notice would be a criminal offence.
Link:The Information Commissioner’s Office