An Ipswich GP has been rapped by the Information Commissioner’s Office after a computer server holding sensitive information was found in the practice car park.

Dr Paul Thomas of the Gipping Valley Practice agreed to sign an undertaking to abide by the Data Protection Act after a server containing “the sensitive personal information of a large number of the practice’s patients and some personal data of its employees” was found by a member of NHS Suffolk.

Specifically, he has agreed to improve the practice’s processes for decommissioning computers and other electronic equipment that might hold personal data, and to take other steps to improve data security.

Sally-anne Poole, head of enforcement and investigations at the ICO, said it was important that sensitive personal information was handled securely and she was pleased Dr Thomas was taking action.

The GP is not alone in failing to dispose of information properly. The ICO has also required East Cheshire NHS Trust to sign an undertaking to comply with the DPA after pages from an Accident and Emergency register were found in a garden.

The pages contained “sensitive personal data relating to the physical and mental health of over 60 patients” and turned up in the garden in Newcastle-under-Lyme after an external company was contracted to clear them from an old office.

The contractor was not given a written contract and documents were disposed of in open skips.

The trust’s undertaking says that in future contracts will be placed and that these will set out requirements for handling sensitive data. It also says staff will be trained on trust policies for storing and using personal information.

Link: The Information Commissioner’s Office