ICO gives NHS 200,000 reasons to better-manage its patient information

The ICO has done it again, having fined NHS Surrey £200,000 “for failing to check the destruction of old computers”.

NHS Surrey allowed an unevaluated third-party, via a verbal cost-saving agreement, to mishandle over 3,000 patient records. The third-party failed in its task to sanitise hospital data from the devices’ memory storage areas. Scrutiny of a single device bought and handed in by a conscientious member of the public, revealed that of those 3,000 patients, 2,000 were children.

This breach of patient information under the Data Protection Act was intensified, firstly by the fact that the department misplaced device accounting records for almost a year, and secondly, because only a fraction of the devices that were probably processed via the same third-party were actually reclaimed after the incident was first acknowledged. These factors together give rise to the probability that sensitive patient data is still in the public domain.

Truly shocking”, were the words of Stephen Eckersley, ICO Head of Enforcement Management, in response to the breach, together with the fact that NHS Surrey had circumvented an existing arrangement with an approved sanitisation provider.

It’s likely that the fault here is based somewhat on naivety (using an unevaluated service provider, which did not confirm its processes in writing) and an ever pressing urge from policy-makers to save money in all business processes. The fact that destruction certificates were marked “wiped/destroyed/recycled” should have set alarm bells ringing though.

The NHS has never been so stretched, with efficiency targets of £20billion over the four years leading to 2015, but this is cost-saving at its very worst. This was definitely £200,000 that NHS Surrey, and indeed the NHS in general, could ill-afford. It goes without saying that this has been a very expensive lesson for the NHS, but they should now use this lesson to realise the importance of protecting its patient information to avoid any other encounters with the ICO.

Other Government departments, and indeed any organisation, public or private, with a responsibility for personal information should see this £200,000 fine as incentive for managing third-party agreements with a more ethical rather than economical approach.