ICO hits health trust with £225,000 fine

Data loss folder

The Information Commissioner's Office (ICO) has hit an Irish healthcare trust with a fine of 225,000 for breaching the Data Protection Act (DPA).

Belfast Health and Social Care Trust (BHSCT) received the fine for failing to secure and destroy "historical" documents containing personal information about staff and patients.

The Trust failed to take appropriate action to keep the information secure.

The BHSCT merged with six local Trusts in April 2007 and, in turn, took over the management of more than 50 disused sites.

One of these sites, Belvoir Park Hospital, was accessed by trespassers in March 2010, who took photos of patient records to post online.

Following this, the Trust reportedly tightened up security at seven hospital buildings, which contained a large number of patient and staff records, some of which dated back to the 1950s.

A local newspaper reported in April 2011 that it was still possible to access the site without authorisation, prompting the Trust to ramp up the number of security guards patrolling the area.

The story resulted in another inspection, during which more records were uncovered, putting the Trust in breach of its own "Records Retention and Disposal" policy.

The Trust has now been rapped by the ICO for not reporting the incident at Belvoir Park and for failing to secure and destroy its aged medical records.

Ken Macdonald, the ICO's assistant commissioner for Northern Ireland, said thousands of staff and patients had been affected by these incidents.

"The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose," he said.

"The Trust has failed significantly in its duty to its patients, and we hope that the action we've taken sets an example for all organisations that they must keep personal data secure, irrespective of where they choose to store it."

The ICO said BHSCT has now removed the patient records and, where appropriate, securely destroyed them.

It has also introduced a decommissioning policy to ensure that all personal data is destroyed once it is no longer needed.

In a statement to IT Pro, the Trust said paying the fine will not come at the expense of patient care.

"[We have] accepted the fine by the Information Commissioners Office for a serious breach of data storage," it read.

"The records concerned are historical and do not concern any current patients. This in no way excuses the distress this may have caused, something we apologise for. The fine will be paid from efficiency savings and will not affect patient care," it concluded.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.