News

News released from the Information Commissioner’s Office (ICO) yesterday: a penalty of £100,000 was imposed on Stockport Primary Care Trust after the discovery of a large number of patient records at a site it formerly owned.

The discovery was made by new owners when they bought the premises in 2011.  The boxes of waste contained personal information including work diaries, letters, patient records, referral forms and various documents. Some of the information contained particularly sensitive data including details of miscarriages, incontinence problems, child protection issues and a police report relating to the death of a child.

The boxes had been left behind by Stockport Primary Care Trust which subsequently collected the information.

An investigation by the ICO revealed two earlier security incidents where confidential and highly sensitive personal data had been left behind in secure buildings owned by the trust.

Stockport Primary Care Trust was dissolved on 31 March 2013 with their legal responsibilities passing to the NHS Commissioning Board. The board will be required to pay the penalty amount by 3 July or serve a notice of appeal by 5pm on 2 July.

The ICO will also be speaking to NHS Stockport Clinical Commissioning Group to pass on the learning that should be taken from this incident.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“It’s crucial that organisations don’t take their eye off the ball when moving premises. This NHS trust’s efforts to keep its patients’ confidential records secure were completely undermined by its failure to properly decommission the premises it was leaving.

“The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we’ve served is both necessary and appropriate.

“In the last year we have served two six figure penalties on organisations that have left large volumes of personal information behind when leaving a site. These penalties highlight the need for organisations to have effective decommissioning procedures in place and to make absolutely sure that these procedures are followed in practice.”

More about this story here.

An NHS Foundation Trust faces a fine of up to £500,000 after notes containing confidential information about 25 patients were found in the street.

Details included patient names, ages, medical history, specialist information, mobility, dietary requirement, hygiene, home circumstances and discharge plan. The documents showed the name of the person who printed them out — at 6.33pm the day before — and said “please destroy paper copy at the end of every shift”.

Bosses at Bolton NHS Foundation Trust have launched an investigation and said they have apologised to all patients and carers.

The data breach has been passed to the Information Commissioner which has said it will “determine an appropriate response”. The commissioner has the power to issue monetary penalty notices of up to £500,000 for serious breaches of the Data Protection Act.

A spokesperson for the ICO said: “We have been made aware of a possible data breach.

“We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

This video shows one of our industrial shredding machines destroying paper at Security Level 3 (in accordance with the European standard for paper shredding security).  The final waste paper is shredded to sizes measuring approximately 4mm x 40mm.

The paper is cross-cut which provides an extra layer of security when compared with conventional strip-cut shredders.  A cross-cut shredder not only shreds the paper into widths but it also cuts it into smaller lengths thereby making it almost impossible to retrieve any data.

The purpose of filming the shredding in this way is to demonstrate the power and finality of the paper destruction process.  It is possible to observe the operation of the two cross-cut shredding drums and obtain an understanding of how they decimate material that is fed through them.

The Ministry of Justice has unveiled plans to give the Information Commissioner’s Office (ICO) powers to carry out compulsory data protection audits on public health bodies in the UK.

The ICO currently has the power to conduct compulsory data protection audits on central Government departments in accordance with the Data Protection Act.  However, consent must be obtained from other organisations before investigations can be commence.

The Ministry of Justice has now said it has been convinced of the need to bring health bodies within the scope of the ICO’s compulsory audit powers and has launched a consultation document amounting to 32 pages.  Health bodies are being encouraged to give their view with submissions accepted by 17th May 2013.

The Ministry of Justice said that, where the ICO had conducted consensual audits, it had identified data security problems, including “lockable storage not being used, patient records left in reception trays openly accessible and insecure confidential waste bins” as well as unencrypted sensitive data being held on mobile devices.

The highest fine the ICO has ever levied on any organisation for a breach of the Data Protection Act was served on Brighton and Sussex University Hospitals NHS Foundation Trust last year. The Trust was fined £325,000 after “highly sensitive personal data” was stolen from a hospital under its control and sold on eBay.

The watchdog had set out its intention to focus on improving health sector compliance in its information rights strategy published at the beginning of 2012.

Shredsec Ltd has enjoyed a string of new business wins across East Anglia and London including:

“Our competitive pricing and high levels of customer satisfaction have set us apart from the competition,” said Philip James, Director at Shredsec. “Organisations are becoming increasingly aware of the need to shred their paperwork and Shredsec offers a simple and flexible solution at the right price.”

Shredsec offers one-off shredding or regular shredding through a contract.

Scottish Borders Council was fined £250,000 after employee pension records were found dumped in a supermarket car park.  The incident occurred in September 2011 when 676 files relating to SBC’s Local Government Pension Scheme were recovered from the recycling bank.

A year later, the Information Commissioner’s Office (ICO) fined the Council which paid immediately in order to receive a 20% discount but appealed against the scale of the Information ICO’s penalty.

Find out more about this article.

To cope with the increasing demand for their shredding services, Shredsec Ltd have taken delivery of a new industrial shredding machine.

“It handles paperclips, staples, disks and credit cards,” added Philip James, Director at Shredsec.  “So our customers don’t need to worry about sorting their material before collection.”

The Information Commissioner’s Office (ICO) has criticised local government’s attitude towards protecting personal data, after four local councils were issued civil monetary penalties.

Leeds City Council was served a monetary penalty of £95,000, Plymouth City Council £60,000 and Devon County Council £90,000 after separate incidents saw details of child care cases sent to the wrong recipients, while the London Borough of Lewisham was issued a penalty of £70,000 after social work papers were left on a train.

The penalties mean that nineteen local councils have now received monetary penalties for breaching the Data Protection Act, totalling £1,885,000.

Information Commissioner Christopher Graham said:

“We are fast approaching two million pounds worth of monetary penalties issued to UK councils for breaching the Data Protection Act, with nineteen councils failing to have the most straightforward of procedures in place

“It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they Continue Reading →

We’ve added a Shredsec Secure Shredding leaflet in PDF format that you can download from our site.