In one of two undertakings announced by the Information Commissioner’s Office, NHS Liverpool Community Health indicated that it had breached the Data Protection Act (DPA) by losing papers relating to the medical history of both 31 preschool children and their birth mothers during a premises move in October 2010.
The ICO’s investigation found that NHS Liverpool had no formal contract in place with the removal company to handle personal data – a requirement of the Act – and had no process in place to ensure personal data was kept secure throughout the move. According to the undertaking, there was confusion at the time over whether files could be transported while still in their file cabinets, and staff found themselves transferring the records to unlocked crates at the last minute, without any inventory made of the number of crates or adequate record keeping and protection.
The undertaking, signed March 3, was revealed on the ICO’s web site on April 11.
CORRECTION: I had indicated that there was no accompanying press release. One was issued.