North Tees and Hartlepool NHS Foundation Trust has been ordered by the ICO to review its data protection policy after a file containing sensitive patient information was found at a bus stop.
It was one of a number of incidents over the last year which resulted in data being lost or disclosed without authorisation leading to an enforcement notice being issued to the Trust. Other incidents included letters, notes and reports containing patient data being sent to the wrong people.
Investigations carried out by the ICO revealed that at least one department had been knowingly breaching the organisation’s data protection policy on a regular basis, saying they found the rules around secure transportation of documents impractical.
Steve Eckersley, Head of Enforcement at the ICO said:
“The careless way this highly sensitive personal information has been handled is embarrassing for the Trust involved. Even though the organisation had over-arching policies in place, they obviously weren’t being followed and didn’t seem to be suitable for every department. It’s important that every organisation not only has the correct policies and procedures in place but also that those policies are followed. That includes providing the right training for staff so everyone can take their data protection responsibilities seriously.
“An action plan was put in place after earlier breaches but clearly parts of the plan have been ineffective and after consideration we decided to issue an enforcement notice to improve compliance and to protect individuals.”