University Hospitals Coventry & Warwickshire NHS Trust breached the Data Protection Act by losing patients’ medical information on two separate occasions, the Information Commissioner’s Office (ICO) said today. The ICO’s action and press release was intended to make the point that even “small” breaches in terms of numbers are important and can indicate a pattern or problem that requires remedial action.
In February, records relating to the treatment of 18 patients were found in a communal waste bin at a residential apartment block. The information had been taken home by a member of staff and accidentally disposed of in a public bin along with other rubbish.
In a second incident – which took place in May – a member of the public discovered details relating to a patient’s sensitive medical procedures and test results which were allegedly found in a bin outside Coventry University Hospital. That incident was reported in the media and was previously mentioned on this blog.
The ICO’s investigation found that the trust’s policies and procedures on the use of personal information were not sufficient. During the Commissioner’s investigation, concerns were also raised about the delivery and collection point for patient notes at one of the Trust’s hospitals.
Sally Anne Poole, Acting Head of Enforcement said:
“The fact that the trust lost sensitive personal information on two separate occasions within the space of two months is clearly not acceptable. Organisations across the health service must recognise that they hold some of the most sensitive personal data available and that it must never be disposed of in the same way as routine household waste.”
The ICO has now ordered the trust to review its policies to make sure that personal information is adequately protected and disposed of. Staff will be trained to follow the trust’s updated guidelines and new procedures governing the handling of clinical data. The hospital will also carry out routine monitoring to ensure that procedures are being followed.