Richard Carey, Chief Executive of Grampian NHS, has agreed to take action to comply with data security requirements by signing an Undertaking to assure the Information Commissioner’s Office (ICO) that personal data will be kept securely in future.
The ICO has found Grampian NHS in breach of the Data Protection Act after receiving reports of three separate incidents involving data security. A senior nursing manager inappropriately emailed 50 staff with sensitive personal details relating to a patient. Lack of secure storage on the labour ward enabled someone to remove the personal details of 200 patients from a confidential waste sack. Finally, a laptop containing details of patients in the gastroenterology clinic was stolen from a locked office. The laptop was not encrypted and contained personal data on 1500 patients with a particular disease.
The ICO has discovered that staff, patients and visitors could have had access to confidential waste, and that many staff have not been aware of the correct procedures for disposing of such material. It is also now clear that some staff have been using home computers for work-related tasks involving personal information and using USB sticks to transfer the work, contravening the organisation’s own policies and procedures.
Ken Macdonald, Assistant Information Commissioner – Scotland, said: “Details about people’s physical and mental health are sensitive personal data. It is vital that organisations handle personal information securely, especially where patients’ details are concerned. NHS Grampian will be taking a number of steps to improve data security to ensure that it complies with the Data Protection Act.”
A copy of the Undertaking can be downloaded from http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx