NHS England has been issued with a £200,000 fine from the Information Commissioner’s Office after a former primary care trust was found to have breached the Data Protection Act.
More than 3,000 patient records were discovered on a computer formerly belonging to NHS Surrey that were bought through an online auction site.
The ICO’s head of enforcement has described the incident as one of the most serious cases the ICO has dealt with.
NHS Surrey was dissolved on 31 March so its fine passes to NHS England, an ICO statement explains.
The sensitive information was inadvertently left on the computer. It was sold by a data destruction company employed by NHS Surrey from March 2010 to wipe and destroy its old computer equipment.
The company carried out the service for free, with an agreement that it could sell any salvageable materials after the hard drives had been securely destroyed.
On 29 May 2012, NHS Surrey was contacted by a member of the public who had bought a second-hand computer online and found that it contained the details of patients treated by the PCT.
The organisation collected the computer and found confidential sensitive personal data and HR records, including patient records relating to approximately 900 adults and 2,000 children.
NHS Surrey reclaimed ten computers that previously belonged to it and three still contained sensitive personal data.
The ICO’s investigation found that NHS Surrey had no contract in place with its provider that clearly explained the company’s legal requirements under the Data Protection Act.
It also found that it failed to observe and monitor the data destruction process.
The ICO’s statement says NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and February 2011 and was only able to confirm that 1,570 computers were processed between February 2011 and May 2012.
The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.
Stephen Eckersley, ICO head of enforcement described the breach as “truly shocking."
“NHS Surrey handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online,” he said.
“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free.”
NHS England is required to pay the penalty amount by 22 July or appeal by 19 July.
The ICO has produced guidance explaining how old IT equipment containing personal information can be securely destroyed in compliance with the Data Protection Act.