- Security TWENTY
- Women in Security
The sensitive information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey since March 2010 to wipe and destroy their old computer equipment. The company did the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed.
In May 2012 NHS Surrey was contacted by a member of the public who had recently bought a second-hand computer online and found that it contained details of patients treated by NHS Surrey. The NHS collected the computer and found confidential, sensitive personal data and HR records, including patient records relating to about 900 adults and 2000 children, on the device.
After this alert, NHS Surrey managed to reclaim a further 39 computers sold by the trading arm of their new (unnamed) data destruction provider. Ten of these computers were found to have previously belonged to NHS Surrey; three of which still contained sensitive personal data.
The data protection watchdog The Information Commissioner’s Office (ICO) found that NHS Surrey had no contract in place with their new provider, which clearly explained the provider’s legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process. NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.
Stephen Eckersley, ICO Head of Enforcement, said: “The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online.
“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”
NHS Surrey was dissolved in March 2013 with some of their legal responsibilities passing to the NHS Commissioning Board. The board will be required to pay the penalty amount by 22 July or serve a notice of appeal by 5pm on 19 July. The full penalty amount is eventually paid into the Treasury’s Consolidated Fund. The ICO has produced guidance on old IT asset disposal, in compliance with the Data Protection Act. View the seven-page ICO pdf here.
Visit the website at: www.ico.org.uk.
Adam Chandler, newly-elected Chairman of the British Security Industry Association (BSIA) Information Destruction Section, believes that this latest development should be a wake-up call. Adam says: “Just five months ago, the BSIA issued a stark warning to the healthcare sector, after research commissioned by the association revealed that a staggering one in four healthcare professionals were aware of a recent data breach within their organisation.
“In this particular case, the NHS Trust in question chose to move away from an accredited supplier, and failed to set minimum standards for delivery of the contract, or carry out the necessary due diligence on their new supplier. This resulted in thousands of patient records effectively ending up in the public domain and serves to reinforce the important role played by professional information destruction companies in keeping our personal and private details safe.”
He added that compliance to EN15713 should be a basic requirement of any information destruction contract, as it sets minimum standards for the transportation, storage and destruction of sensitive information.
“Even if companies claim to deliver a service at a reduced cost, organisations must remember that the financial cost of data losses can more than outweigh any savings they may make by choosing a less scrupulous supplier. The Information Commissioner’s Office can issue penalty fines of up to £500,000 for the most severe data breach, and each individual record lost costs UK organisations an average of £71.”
For more information about the BSIA and its Information Destruction Section – or to locate a supplier – visit www.bsia.co.uk/information-destruction