ICO acts after Belfast data put online

Belfast Health and Social Care Trust has been fined £225,000 by the Information Commissioner’s Office after photographs of patient records appeared on the internet.

According to a penalty notice issued by the ICO, the breach of the Data Protection Act involved the sensitive personal data of thousands of patients and staff, and included medical records, x-rays, scans, lab results and staff records – including unopened payslips.

The records were obtained on several occasions from Belvoir Park Hospital by trespassers who gained access to the site, most recently in or around May 2010, following its closure in March 2006.

Belfast Health and Social Care Trust has been responsible for the site since the amalgamation of six acute and community trusts into the organisation in April 2007.

The ICO’s assistant commissioner for Northern Ireland, Ken Macdonald, said: “The trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose.

“The people involved would also have suffered additional distress as a result of the posting of this data on the internet.

“The trust has therefore failed significantly in its duty to its patients, and we hope that the action we’ve taken sets an example for all organisations that they must keep personal data secure, irrespective of where they choose to store it.”

The penalty notice states that the trust did not know that “the security of the data at the site was being compromised until March 2010, when they received a report from a third party that images of the records were accessible on-line.”

Two inspections were carried out of the hospital and a large number of patient records were discovered. However, some parts of the site were either locked or inaccessible “due to concerns about asbestos contamination.”

Despite these concerns, the records were again accessed by trespassers in April 2011. An inspection held by the data controller the following month revealed that approximately 100,000 paper medical records were stored in boxes, cabinets, on shelves or on the floor.

The notice also states that x-rays, microfiche records, hard copies of medical scans and reports, lab results, paper ward records were also found. In addition, 15,000 staff records, including unopened wage slips were found in a building that had been empty since 1992.

The ICO determined that the trust had breached the “records and retention policy” and that the contravention “was due to the negligent behaviour of the data controller in failing to take appropriate technical and organisational measures against the accidental loss of personal data.”

The trust also failed to report the situation at Belvoir Park to the ICO. Approximately 20% of the patient records were likely to relate to deceased individuals and would not be covered by the DPA.

In a statement, Belfast Health and Social Care Trust said: “Today, [the trust] accepted the fine by the Information Commissioner’s Office for a serious breach of data storage.

“The records concerned are historical and do not concern any current patients. This in no way excuses the distress this may have caused, something we apologise for. The fine will be paid from efficiency savings and will not affect patient care.”

The trust has now removed patient records from the site and examined them and either retained or securely disposed of them as required. A decommissioning policy has also been implemented to ensure that personal information is securely destroyed once it is no longer needed.