Primary Care Trust lose 1.6 Million Personal Detail Records

The personal details of 1.6 million individuals were lost after they were placed on a CD that accidentally got sent to landfill.

According to the Information Commissioner’s Office (ICO), Eastern and Coastal Kent Primary Care Trust sent to landfill a filing cabinet that contained the CD. The disc had on it the address, date of birth, NHS number and GP practice code of approximately 1.6 million patients.

The ICO said that when planning an office move, the trust deemed it appropriate to store the CD in the filing cabinet concerned. However, the project manager co-ordinating the move was not told about the existence of the CD. It was also found that the team concerned was not up to date with its information governance training and had not accessed relevant guidance on how to dispose of the CD.

Considering the data controller’s compliance with the provisions of the Data Protection Act and determining the remedial action that was taken by the data controller, the ICO said it would not serve an enforcement notice. “Whether the CD is lost forever or will end up in the right or wrong hands may still be unknown, but the stark fact is that the personal details of more than 2.5 per cent of the UK’s population have been lost and could possibly be used for identity theft. In this case, the ICO has decided that a civil penalty should not apply, even though this summer it singled out the NHS as treading on thin ice with data breaches.”

This is just one more story of data handling disasters to add to the plethora of incidents reported over the last few years to date; most of which could have been avoided through an understanding of data handling requirements and ability to implement controls.

Due to the shear nature of the industry (and the press) it’s very rare that we hear of the data handling success stories. Many of Regency’s clients could tell such stories, our consultants have worked with clients to identify and document types and amounts of personal data collected and processed, identified risks and implemented controlling measures. We have developed a pre Privacy Impact Assessment (PIA) screening process and PIA report that has provided clients with confirmation to the ICO that their data collection, processing, storage and destruction processes and systems comply with the 8 principles contained within the Data Protection Act; and that they undertake their responsibilities as data custodians responsibly. We have advised on governance, information assurance strategy and training that enforces a security aware culture across the organisation.

Why bother reporting on that? Where’s the news worthy story there?

To find out more on the PIA process and how to ‘not make the news’ our ‘white paper’ or visit us on the Web