ICO fines former primary care trust £100,000
ICO fines former primary care trust £100,000

Stockport Primary Care Trust has been issued a £100,000 monetary fine by the Information Commissioner's Office (ICO) after patient records were found at an unused facility.

According to the ICO undertaking, the site has been closed since 2010 and a new purchaser found boxes of waste that contained information relating to patients, including names that they recognised, together with some HR records.

The purchaser contacted Stockport MBC who notified the data controller who collected them, and found that they contained approximately 1,000 documents containing patient identifiable data including work diaries, letters, referral forms and patient records.

These included confidential and highly sensitive personal data relating to over 200 data subjects containing details about miscarriages, incontinence problems, child protection issues and a document from the police about the death of a child.

The ICO's investigation revealed two earlier security incidents where confidential and highly sensitive personal data had been left behind in secure buildings owned by the trust. Stockport PCT was dissolved on 31 March 2013 with its legal responsibilities passing to the NHS Commissioning Board. The board will be required to pay the penalty amount by 3rd July or serve a notice of appeal by 5pm on 2nd July 2013.

The ICO said that it would also be speaking to the NHS Stockport Clinical Commissioning Group to pass on the learning that should be taken from this incident. It said that it had "sufficient financial resources to pay a monetary penalty up to the maximum without causing undue financial hardship", as the data controller is a public authority, so liability to pay any monetary penalty will not fall on any individual.

David Smith, deputy commissioner and director of data protection at the ICO, said: “It's crucial that organisations don't take their eye off the ball when moving premises. This NHS trust's efforts to keep its patients' confidential records secure were completely undermined by its failure to properly decommission the premises it was leaving.

“The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we've served is both necessary and appropriate.

“In the last year we have served two six figure penalties on organisations that have left large volumes of personal information behind when leaving a site. These penalties highlight the need for organisations to have effective decommissioning procedures in place and to make absolutely sure that these procedures are followed in practice.”