From the Information Commissioner’s Office:
The Information Commissioner’s Office (ICO) has ordered Grampian Health Board (NHS Grampian) to take action to make sure patients’ information is better protected.
The warning comes after six data breaches within a thirteen month period where papers containing sensitive personal data were left abandoned in public areas of the hospital and one case where the information was found at a local supermarket. All of the papers were returned to staff, with the final incident occurring on 28 March 2014.
The ICO’s investigation found the same mistakes continued to occur because NHS Grampian didn’t have an information register identifying the personal information held and the department responsible for looking after it. This gap in their procedures resulted in the organisation failing to take sufficient remedial action. The ICO previously alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act.
This is not the first time Grampian NHS has been required to sign an undertaking. In September 2009, PHIprivacy.net reported that Grampian had signed an undertaking following three separate incidents: a nursing manager had inappropriately emailed 50 staff with sensitive personal details relating to a patient, lack of secure storage on the labor ward enabled someone to remove the personal details of 200 patients from a confidential waste sack, and a laptop with unencrypted details of 1,500 patients in the gastroenterology clinic was stolen from a locked office.
In 2012, this site noted a report that 50 patient records had gone missing or were lost in the previous year. At that time, the public did not know about the consensual audit Grampian had undergone or its findings.
The ICO’s current enforcement notice requires Grampian to produce an overarching high level information asset register assigning owners in line with best practice, by 22 June 2015. The register must explain which areas of the organization are responsible for keeping the personal information they handle secure. Grampian must provide a progress report showing how these improvements are being made by 31 March 2015, and confirm completion by 29 June 2015.
Given its past history, Grampian should consider itself fortunate that there was no monetary penalty.