There have been many instances in the U.S. of personal data showing up on equipment sold at online and offline auctions. Once such case in the U.K. involved doctors’ data and the company responsible for the data, Healthcare Locums Plc (HCL), a UK specialist healthcare recruitment agency, has now been found in breach of the Data Protection Act (DPA).
The Information Commissioner’s Office (ICO) was first informed of the breach when HCL confirmed that a hard drive containing doctors’ security clearance and visa information had been sold on an auction website before being returned. Inquiries established that the equipment was last recorded as being transferred from HCL’s Skipton branch to its branch in Loughton earlier this year. Because HCL had no inventory list for the transfer, it failed to realize the storage device had gone missing until it was reported by a member of the public. The device was eventually returned to the agency and wiped in June 2010.
Mo Dedat, Chief Operating Officer of Healthcare Locums Plc, has signed a formal Undertaking outlining that the organization will ensure contracts are put in place between the organization and any contractors it uses to process personal data on its behalf. Healthcare Locums will also ensure that records of equipment used to process personal data are maintained and updated in order to ensure any similar incidents are detected quickly and handled appropriately.
A full copy of the Undertaking can be found here:
http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx