Digital Transformation

ICO issues fine after patient data is discovered on old computers

NHS Surrey has been fined for leaving sensitive information on old computers.

The Information Commissioner’s Office (ICO) has fined the now-defunct NHS Surrey £200,000 after it was found to have allowed old computers containing public data to go up for sale.

In May 2012, a member of the public contacted the organisation to say they had found personal information on a computer they had purchased via an online auction site.

An investigation revealed that NHS Surrey had been outsourcing data destruction and had permitted an outside firm to take computers away and wipe what was on them, provided that the business could have the hardware to sell afterwards.

It turned out that the firm in question had not been wiping hard drives and had allowed patient records relating to 900 adults and 2,000 children to go out on one computer alone.

After the problem was discovered, 39 more machines were recovered but it is not clear how many more may still be in the public domain.

The ICO found that NHS Surrey had not fulfilled its legal requirements under the Data Protection Act and had failed to monitor the organisation it used for data destruction.

Stephen Eckersley, ICO head of enforcement, said: "The facts of this breach are truly shocking. This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case."

In response, the ICO has published guidelines detailing how old IT equipment containing potentially sensitive information can be properly disposed of.

This includes ensuring that at least one member of staff has a responsibility to ensure proper asset disposal; completing a full inventory of all equipment marked for disposal; and considering the security vulnerabilities that may occur with each method of disposal.

One way of making data protection easier could be to seek help from a company like Dajon Data Management, which will keep personal files safely in the cloud and dispose of them whenever required.

This prevents them from having to be stored on hard drives that can be vulnerable to theft or not being adequately wiped.