26 October 2010
The Information Commissioner’s Office (ICO) has this week reported details of how a doctor at North West London Hospitals NHS Trust breached the Data Protection Act by leaving medical information about 56 patients on a tube train.
The incident occurred in May 2010 when a doctor printed out patients’ personal information to use in audit work undertaken at home outside normal working hours. The doctor realised the information had been left on the tube and returned to inform the station supervisor. The information was retrieved and returned to the doctor.
The Trust, which was commended for informing the ICO of the breach, has taken remedial steps to prevent such an incident from happening again. It has also given a formal undertaking to the ICO agreeing steps to improve its data protection polices and procedures.
The Trust has agreed to adopt a series of ‘pseudonymisation’ techniques so patients’ details, such as names, will not be recorded in such data. Only the minimum amount of information necessary to conduct an audit should be printed.
Recent high profile data losses have led to action by the ICO; 7 NHS Trusts in the past 12 months have signed formal undertakings as a result of investigation. The ICO also has the option of imposing fines of up to £500,000 for more serious breaches.
It has become increasingly important for organisations to have comprehensive data protection policies and that these are communicated effectively to all employees, and enforced.
The creation of a culture of protecting patients’ sensitive personal data will help NHS bodies to avoid breaches of the Data Protection Act and lessen the chances that a monetary penalty will be imposed in cases where these occur.
Hill Dickinson has a wealth of experience in dealing with the full
range of employment and pensions issues. If you have any queries
relating to the above, or any other legal matter, please do not
hesitate to contact us
for advice.
