In the second of two undertakings announced by the Information Commissioner’s Office on April 11, the Council for Healthcare Regulatory Excellence (CHRE) was found to be in breach of the Data Protection Act after the possible loss of documents from complaint review files containing sensitive personal data. The ICO notes, however, that “due to weaknesses in CHRE’s document recording, administration and communication processes the organisation cannot be certain if the information was ever received or whether it was subsequently lost or destroyed.”
Harry Cayton, Chief Executive of CHRE stated:
The Information Commissioner (the ‘Commissioner’) was provided with two reports from CHRE in November and December 2010 regarding the possible loss of a number of hard copy documents containing the sensitive personal data of several individuals involved in three separate complaint review cases.
In November 2010, when CHRE came to review the cases, certain documents on each file could not be accounted for. Some of these documents included information about individuals’ health and criminal convictions. It is not known for certain whether the paperwork in question was ever received into CHRE’s offices, or if it has since been lost or destroyed. These incidents highlighted significant weaknesses in CHRE’s document recording, administration and communication processes.
That’s bad, and reminds me of what we saw the other day in a report the other day by Phoenix Ireland, where the life assurance firm admitted that it did not know whether the backup tape had even been created, and if it had, whether it had ever been shipped to another office. Such failures in record-keeping are not only embarrassing but should result in stern penalties.
CORRECTION: I had indicated that there was no accompanying press release. One was issued.