Records included personal information of former patients and some staff
The Information Commissioner’s Office (ICO) has said the Dartford and Gravesham NHS Trust breached the Data Protection Act by "accidentally" destroying 10,000 archived records.
The ICO blamed the Trust for negligence. It said that the records — some of which included the names and addresses of former patients and some staff, and a limited amount of medical information relating to the patients’ previous treatment — should have been kept in a dedicated storage area. Instead, the records were put in a disposal room due to lack of space, said the ICO.
The records were then "mistakenly" removed from the room and destroyed between the 28 and 31 December 2010. Furthermore, the hospital failed to realise that the information was missing for three months, said the ICO.
The Trust has been unable to establish how many of the records would have contained personal information – the majority of which would have been several years old. But the Trust has confirmed that the loss of these records does not pose a clinical risk to data subjects affected by this incident.
The ICO has ordered the Trust to take action to ensure its staff are made aware of data protection polices and procedures and that they receive suitable training on how to follow them. The Trust will also regularly monitor their staff to make sure policies are being correctly followed, said the ICO.
Acting Head of Enforcement Sally Anne Poole said although the majority of information lost was several years old and only being kept for archiving purposes, there is no excuse for failing to keep it secure.
"The hospital should have ensured that the records were kept in a safe area – and, had they had adequate audit trails in place, they would have been able to keep track of where this information was at all times," said Poole.
A further undertaking has also been signed by Poole NHS Trust after two diaries – containing information relating to the care of 240 midwifery patients – were stolen from a nurse’s car. The diaries included patients’ names, addresses and details of previous visits and were used by the nurse during out of hours duty.
The ICO said that the Trust has now taken action to keep the personal information it uses secure, includes making sure patient information is not left in unattended vehicles and that papers only contain the minimum amount of data necessary. The Trust will also anonymise information where possible.