Data watch dog urges end users to shun free providers as it fines a Southern NHS trust over shocking patient records breach.
The Information Commissioners Office (ICO) has sounded a warning over “free” IT disposal services after handing out a £200,000 fine to an NHS trust that presided over “one of the most serious breaches it has witnessed”.
The issue of so-called free IT asset disposal (ITAD) services reared its head earlier this year after some of the industry’s established players slammed an MP for promoting a firm offering this model in his local constituency.
They claimed any ITAD operating a free or “we-pay-you” model cannot cover the costs required to dispose of equipment securely.
The ICO today lent its voice to the cause as it announced it had fined the Southern NHS £200,000 after more than 3,000 patient records were found on a second-hand PC bought through an online auction site.
The PCs were sold by a data destruction company the Southern NHS had employed since March 2010. It had agreed to carry out the services free of charge before selling on any salvageable materials after the hard drives had been securely destroyed.
Stephen Eckersley, ICO head of enforcement, blasted the Southern NHS decision to leave an approved provider and hand over thousands of patient details to a company without checking the information had been securely deleted.
“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case,” he said.
“We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free.”
The Southern NHS was first alerted to its blunder in May 2012 when it was contacted by a member of the public who had recently bought a second-hand PC online and found it contained details of patients treated by the trust.
This included records relating to about 900 adults and 2,000 children.