There was no press release or fanfare, but the UK’s Information Commissioner’s Office web site indicates that Northamptonshire Healthcare NHS Foundation Trust has signed an undertaking with the ICO over the loss of an individual’s medical records.
According to the undertaking:
The personal data was recognised as missing when the data controller received a subject access request from the individual concerned.
On receiving the subject access request,records originally provided to them by their predecessor trust were searched. In doing so, it was found that these records were not indexed. The data controller was unable to locate the individual’s records but was able to provide a partial set comprised of letters held in complaints files. On finding that all the records held were not indexed, the data controller did ensure that they were then indexed and is in the process of converting all its paper medical records to an electronic format to prevent a reoccurrence of such an incident.
Okay, I’m the first one to argue that every individual’s privacy matters, but in light of some huge issues involving data loss in the UK, is this really necessary or proportional? This week, the ICO also issued an undertaking involving the Lancashire Police for failure to redact information before uploading it to the Internet and for failure to remove it promptly when notified of the privacy breach. Again, an important issue but an N=1 case. Did ICO penalize Eastleigh Borough Council for its list of dangerous residents that leaked? And where are all the undertakings for police who have lost confidential files in car parks or pubs or on the train – or worse, who helped reporters invade citizen’s privacy?
A little proportionality might be a good thing.