A Warwickshire-based company has committed to taking action to protect personal data, following a breach of the Data Protection Act (DPA).
The breach occurred when a system used by Pharmacyrepublic Limited to record the medication handed out to around 2000 patients was stolen from one of its premises, the Information Commissioner’s Office (ICO) said today.
Pharmacyrepublic Limited contacted the ICO in September to report the theft of a Patient Medication Record (PMR) system. The system contained details of the medicine handed out to patients at one of its pharmacies, and was stolen while the pharmacy was being transferred to another provider. The system was supplied by another firm and Pharmacyrepublic failed to ensure that the system was securely returned to the company before leaving the premises.
The ICO’s investigation found that the system – which was password protected – contained a limited amount of sensitive information relating to the medicine being administered to the pharmacies’ patients. The system was used to identify any problems when multiple drugs were administered to the same patient. The data hasn’t been recovered.
Stephen Eckersley, the ICO’s Head of Enforcement said:
“It is important that companies have measures in place to keep personal information secure at all times. If a company is vacating premises then they should ensure that any equipment used to store peoples’ data is handled correctly. In this case the system should have been returned to the wholesaler safely and securely.
“This incident should act as a warning to all healthcare providers – your data protection obligations do not end while the personal information of your patients remains on site and in your control.”
Pharmacyrepublic Limited has now agreed to take action to keep the personal data it handles secure. This includes updating its procedures to ensure that PMR data is securely handled prior to any future transfer of ownership. All staff will also be made aware of the company’s procedures for the safe storage and retrieval of personal data ,and appropriately trained on how to follow these.