The Information Commissioner’s Office (ICO) has issued a monetary penalty of £55,000 to North Staffordshire Combined Healthcare NHS Trust. The penalty follows a serious breach of the Data Protection Act which resulted in sensitive medical details of three patients being sent to a member of the public.
The details were released between August and September 2011 when three separate faxes, which should have been faxed to the trust’s Wellbeing Centre, were sent to the same member of the public.
The error was caused by the fax number for the centre being incorrectly dialled each time. The trust was eventually alerted to the problem after receiving a letter from the recipient.
The Wellbeing Centre was responsible for providing psychological therapies for the trust. The information disclosed included confidential and highly sensitive information, including the patients’ names, addresses, medical histories, and details of their physical and mental health.
The ICO’s investigation found that while the trust had published best practice guidance which required staff to ‘phone ahead’ to make sure faxes were being sent to the right address and had been successfully received, this guidance had not been communicated to the staff involved and they had received no specific training on the secure use of fax machines.
ICO Enforcement Group Manager, Sally Anne Poole, said:
“Let’s make no mistake, this breach was entirely avoidable. One phone call ahead to the trust’s Wellbeing Centre would have alerted its staff to the fact that the number they were entering was incorrect. This would have stopped highly sensitive information about the care of vulnerable people being sent to a member of the public on three separate occasions.
“This case should act as a warning to all organisations that routinely send out sensitive personal information by fax. Make sure you have appropriate procedures and controls in place, so that errors can be spotted before it is too late.”
The ICO’s guidance on the secure use of fax machines advises that organisations sending personal information by fax should:
- Consider whether sending the information by a means other than fax is more appropriate, such as using a courier service or secure email. Make sure you only send the information that is required. For example, if a solicitor asks you to forward a statement, send only the statement specifically asked for, not all statements available on the file.
- Make sure you double check the fax number you are using. It is best to dial from a directory of previously verified numbers.
- Check that you are sending a fax to a recipient with adequate security measures in place. For example, your fax should not be left uncollected in an open plan office.
- If the fax is sensitive, ask the recipient to confirm that they are at the fax machine, they are ready to receive the document, and there is sufficient paper in the machine.
- Ring up or email to make sure the whole document has been received safely.
- Use a cover sheet. This will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents.
SOURCE: Information Commissioner’s Office