3 June 2013

The ICO have issued a monetary penalty of £100,000 to Stockport Primary Care Trust following a breach of the data protection act.

A site previously owned by the Trust contained boxes holding documentation comprising personal information some of which being sensitive data.  The documents included diaries, letters, referral notices and patient records.  The boxes were found by the new site owner who then informed the data controller of his findings.

The ICO have confirmed that the Trust have previously been involved in two similar security incidents where personal information had been left behind.

It is essential that organisations follow the appropriate procedures when moving premises to ensure that no documentation remains behind. The Director of Data Protection, Mr. Smith, states ‘the highly sensitive nature of the documents left behind makes this mistake inexcusable’.

Over the last 12 months penalties have been issued to other organisations for similar offences, highlighting the urgent requirement for organisations to have decommissioning measures in place and to ensure that the procedures are put into practice when the time comes.

Steps offered by the ICO to assist when moving premises

  • Ensure that personal information remains secure at all times, make security of information a priority.
  • Ensure procedures are in place for decommissioning of the site.  Document who’s responsible for the decommissioning and ensure that it is undertaken, do not make any assumptions with regards to it being done.
  • Take care when disposing of information.  Be sure to dispose of files or computer hardware in a secure manner as the data on the device remains your responsibility even once you have disposed of it.
  • Don’t make the same mistake more than once. Document and report incidents and take appropriate measures to prevent incidents from reoccurring in the future.