The Great Ormond Street Hospital for Children NHS Foundation Trust has signed an undertaking with the Information Commissioner’s Office following four separate incidents in the last 18 months where letters containing medical information have been sent to the wrong address.
In most of these cases, the letters had been sent out by temporary or bank members of staff who had not received any relevant data protection training.
Although data protection training was in place, it was not required for temporary members of staff, and failures to attend training did not appear to be followed up or enforced in any way.
On investigating these matters further, the Commissioner discovered that there was a lack of either high level policies or local level procedures to ensure the accuracy of addresses, or for checking that the correct addresses had been used. In some of the cases, the letters were seen by another member of staff before being sent, but no checking was carried out.
The undertaking specifies the remedial actions to be taken by the trust to comply with the Data Protection Act.