Camden PCT falls foul of ICO for breaches of Data Protection Act

The Information Commissioner’s Office (ICO) has taken enforcement action against Camden Primary Care Trust (PCT) following a breach of the Data Protection Act.

Nine computers containing 2,500 individuals’ names, addresses and medical diagnoses were left beside a skip inside the grounds of St Pancras Hospital in August 2008.

The privacy watchdog said the information was not encrypted and, although the computers were no longer in use, the data controller had not authorised their disposal and did not discover the incident for 13 days.

To make matters worse the PCs were removed from the scene and never recovered.

Mick Gorrill, Assistant Information Commissioner at the ICO, said: "The ICO takes all data breaches seriously. Individuals must feel confident that their personal health records will be handled properly by NHS bodies.

"Over 2,500 individuals may have suffered anxiety as a result of this breach with the worry that their medical records could fall into the wrong hands. This incident highlights organisational error and will no doubt damage public trust in the NHS locally.

"I am increasingly concerned about the way some NHS organisations dispose of sensitive patient information. Organisations need to ensure they implement appropriate safeguards to ensure personal details about patients are disposed of in compliance with the Data Protection Act."

The Trust has now been ordered by the ICO to ensure all personal information is removed from computer equipment as soon as it is decommissioned. The PCT has been ordered to update the ICO on progress made by 31 March 2009.

Failure to meet the terms of the Enforcement Notice would be a criminal offence and may lead to pr osecution.