Two Scottish health boards have been found in breach of data protection laws for leaving patients’ personal information on paper records at abandoned hospitals.
NHS Tayside and NHS Lanarkshire have been ordered to sign an agreement to comply with the Data Protection Act (DPA) or face possible future prosecution.
The Information Commissioner’s Office (ICO) found NHS Tayside and NHS Lanarkshire guilty of being in breach of the DPA after two separate incidents in which confidential patient records were found on hospital sites.
Ken MacDonald, assistant commissioner for Scotland at the ICO, said: “Clearly health records can contain particularly sensitive information and must be held securely and disposed of appropriately when no longer required.”
The assistant commissioner added: “It is also a serious concern that both Tayside and NHS Lanarkshire were keeping information for longer than necessary. We have ordered both NHS bodies to comply with the DPA in future or risk further enforcement action by the ICO.”
The ICO decided not to exercise its full powers under the DPA, which under section 40 would have enabled it to serve an enforcement notice of the two health boards.
The ICO has instead required both health boards sign a detailed agreement to follow the DPA and stick to recommendations made by NHS Quality Improvement Scotland to ensure such problems do not reoccur. If the two Health Boards fail to comply, they have been told they face further enforcement action that could result in prosecution.
In May, it was revealed that documents had been discovered at Strathmartine Hospital, Dundee. Then in July, a similar find was made at the former Law Hospital site in Carluke.
The ICO was alerted to both data breaches earlier this year when members of the public found confidential health records in buildings on the site of the former hospitals.
According to BBC Scotland, confidential information found at the Starthmartine site was reported to include details of a girl’s adoption and a child with foetal alcohol syndrome.
An investigation found that NHS Tayside had repeatedly been warned about the documents but only took action after press reports.
A spokeswoman for NHS Tayside said: "Since the incident at Strathmartine we have reviewed all our medical records and information systems procedures and taken steps to ensure we are in compliance with the Data Protection Act."
Following the two incidents, NHS Quality Improvement Scotland made a series of recommendations that were accepted in full by Scottish Health Minister Helen Sturgeon earlier this year. These included: ensuring disused buildings no longer be used for the storage of any health records or personal identifiable information; that all information held on patients should be stored in their formal health records; and ensuring all NHS staff are trained in data protection and information management. New guidance is also to be developed on the management of patient-identifiable information held by clinical staff who retire or leave their post.
In an unrelated development, the UK Ministry of Justice this week announced proposals to strengthen the powers of the ICO. The proposals centre on enabling the ICO to inspect central government departments and other public sector bodies’ compliance with the DPA without always requiring consent.
The proposed new powers would also impose monetary penalties on data controllers for deliberate or reckless loss of data; and require any person, where a warrant is being served, to provide information required to determine compliance with the DPA.
The ICO welcomed the proposed development but added it would like to have the power to carry out similar audits of private sector organisations as well.