- Security TWENTY
- Women in Security
The data protection watchdog has ordered a Scottish NHS body to make sure patients’ information is better protected.
The Information Commissioner’s Office (ICO) warning to Grampian Health Board (NHS Grampian) came after six data breaches within 13 months to March 2014, where papers containing sensitive personal data were left abandoned in public areas of the hospital and one case where the information was found at a local supermarket. All of the papers were returned to staff.
The ICO found the same mistakes continued because NHS Grampian didn’t have an information register identifying the personal information held and the department responsible for looking after it. This gap in their procedures resulted in the organisation failing to take sufficient remedial action. The ICO had alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act.
ICO Assistant Commissioner for Scotland, Ken Macdonald, said: “It’s a fundamental requirement of the Data Protection Act that organisations understand what personal information they hold and who is responsible for looking after it on a day-to-day basis. NHS Grampian failed to do this despite committing to addressing this problem when our office highlighted it as an issue during an audit three years ago.
“We hope this enforcement notice gives the organisation a further chance to put their house in order and look after the information of the people they serve. Failure to comply with the notice is a criminal offence. In addition, if any further breaches occur, we do not rule out taking further regulatory action, including fining the organisation up to £500,000.”
The watchdog’s enforcement notice requires Grampian to produce a high level information asset register by June 2015. The register must explain which areas of the organisation are responsible for keeping the personal information they handle secure. NHS Grampian must provide a progress report showing how these improvements are being made by March, and confirm completion by June.