The data protection watchdog the Information Commissioner’s Office (ICO) has issued a penalty of £60,000 to St George’s Healthcare NHS Trust in London after a vulnerable individual’s sensitive medical details were sent to the wrong address. The information was contained in two letters that were sent out by the Trust in May 2011. While the letters were addressed to the correct recipient, they were sent to an old address, despite the person not having lived in the property for nearly five years.
The ICO found that the individual’s current address had been provided to the trust’s staff before the medical examination took place. Additionally the correct address had been logged on the national care records service, known as NHS SPINE, in June 2006. The mistake was made after the Trust’s staff failed to use the address supplied before the examination, or check that the individual’s recorded address on their local patient database matched the data on the SPINE. The Trust had setup a prompt to remind staff about the need to check and update patient information against SPINE; however the Trust knew the prompt could be bypassed and failed to take action to address the problem until it was too late.
Stephen Eckersley, the ICO’s Head of Enforcement, said: “It’s hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it. This breach was clearly preventable and is the result of the Trust’s failure to make sure the contact details they have for their patients are accurate and up to date.
“This is the fourth monetary penalty we have issued to the NHS in the past two months. It is vital that these organisations make sure they have the necessary measures in place to keep patients’ details secure.”
The ICO adds that the trust has now taken action to make sure that the personal information they handle is kept secure. This includes making sure adequate checks are in place to ensure that local information the trust has for patients is correct, by cross checking that information against SPINE and other relevant sources.
In a separate case, Southampton City Council has been ordered to stop the mandatory recording of passengers’ and drivers’ conversations in the city’s taxis, the Information Commissioner’s Office (ICO) announced. Since August 2009, the council has required all taxis and private hire vehicles to install CCTV equipment to constantly record images and the conversations of both drivers and passengers.
The ICO has ruled the council’s policy breaches the Data Protection Act, concluding that the recording of all conversations is disproportionate given the very low number of incidents occurring compared to the number of trouble free taxi journeys. An enforcement notice has been issued to the council who now have until November 1 to comply.
The Cheshire-based Information Commissioner, Christopher Graham, said: “By requiring taxi operators to record all conversations and images while the vehicles are in use, Southampton City Council have gone too far.
“We recognise the council’s desire to ensure the safety of passengers and drivers but this has to be balanced against the degree of privacy that most people would reasonably expect in the back of a taxi cab. It is only right that the privacy of drivers and passengers is respected. This is particularly important as many drivers will use their vehicles outside work. While CCTV can be used in taxis, local authorities must be sensible about the extent to which they mandate its use, particularly when audio recording is involved.”
The ICO has recently looked at a similar policy that was proposed by Oxford City Council. The ICO took preliminary enforcement action stating that the recording of passengers’ and drivers’ conversations in the city’s taxis would breach the Data Protection Act. The council have now suspended the implementation of the policy.
The Commissioner added: “We hope this action sends a clear message to local authorities that they must properly consider all the legal obligations on them before requiring the installation of CCTV or similar equipment and that audio recording should be very much the exception, rather than the rule.”
The Data Protection Act states that organisations can only collect personal data when it is fair and lawful to do so. For CCTV equipment in taxis, the ICO advises that images should only be recorded where it is clearly justifiable. Audio recordings should only be made on very rare occasions, for example where there are a high number of serious incidents and where recording is triggered due to a specific threat in a taxi cab.
