UK: NHS Tayside and NHS Lanarkshire found in breach of Data Protection Act

A press release from the Information Commissioner’s Office:

The Information Commissioner’s Office (ICO) has found NHS Tayside and NHS Lanarkshire in breach of the Data Protection Act after investigating complaints concerning the disposal of patient information at Strathmartine Hospital in Dundee and Law Hospital in Carluke.

The ICO was alerted to both data breaches earlier this year when members of the public found confidential health records in buildings on the site of the former hospitals.

Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said: “The Information Commissioner’s Office takes all breaches of data security seriously. Clearly health records can contain particularly sensitive information and must be held securely and disposed of appropriately when no longer required. It is also a serious concern that both NHS Tayside and NHS Lanarkshire were keeping information for longer than necessary. We have ordered both NHS bodies to comply with the Data Protection Act in future or risk further enforcement action by the ICO.”

The ICO has now required both organisations to sign formal undertakings to comply with the Principles of the Data Protection Act. They should also follow the recommendations recently made by NHS Quality Improvement Scotland to prevent similar incidents occurring in the future. Failure to meet the conditions of the undertakings is likely to lead to further enforcement action by the ICO and could result in prosecution.

Ken Macdonald will be speaking at tomorrow’s GC Scotland ’08 ‘Transformation in Practice’ conference, where he will speak about the importance of compliance with the Data Protection Act and the significance of data minimisation when sharing personal information.

A copy of the undertakings can be downloaded from
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx

In the news: BBC: Health boards ‘broke data laws’

About the author: Dissent