DPC logo

Data protection audit and avice

Homepage About us Your risk Our services News Contact us Call Data Protection Consultancy
The latest news on Data Protection Act breaches, data security risks, forthcoming legislation and requirements:


How we can help

Your organisation could benefit from our expertise in the following broad areas:

  • Audits, health-checks & risk analysis
  • Compliance support
  • Policy-checking & authoring
  • Advice & support
  • Development & training.

Of course, there are other benefits, too:

  • You can breathe a big sigh of relief
  • You may not need to employ your own people to look after data protection
  • There are genuine business benefits in getting your data protection right.

NHS Surrey fined £200,000 for not checking the destruction of old PCs

12 July 2013 — NHS Surrey was fined £200,000 after over 3,000 patient records were found on a second-hand PC bought on an online auction site. The sensitive information was left on the computer and sold by a data-destruction company used by NHS Surrey to wipe and destroy their old equipment. A member of the public who had bought a second-hand computer online found that it contained HR records and records of around 900 adult and 2000 child patients. NHS Surrey reclaimed a further 10 of their old computers, 3 of which still contained sensitive personal data. The ICO found that NHS Surrey had no contract in place with their provider and failed to observe and monitor the data destruction process. Read more...  

Staffordshire trust fined £55,000 for fax blunder

13 June 2013 — The ICO has fined North Staffordshire Combined Healthcare NHS Trust £55,000 after sensitive medical details of 3 patients were sent to a member of the public. Three separate faxes (which should have been faxed to the trust’s Wellbeing Centre) were sent to the same member of the public due to repeated incorrect dialling. The trust was eventually alerted to the problem after receiving a letter from the recipient. The information disclosed included confidential and highly sensitive information, including the patients’ names, addresses, medical histories, and details of their physical and mental health. The ICO stated that the breach was “entirely avoidable”. Read more...  

Trust fined for not removing records held at a former site

3 June 2013 — The ICO has fined Stockport Primary Care Trust £100,000 after the discovery of a large number of patient records at a site formerly owned by the trust. The new owner found boxes of waste containing personal information: 1,000 documents including work diaries, letters, referral forms and patient records containing personal information. Some of the documents contained particularly sensitive data relating to 200 patients, including details of miscarriages, child protection issues and, in one case, a police report relating to the death of a child. Read more...  

Stolen database lands community health manager with ICO fines

23 May 2013—A former manager of a health service based at a council-run leisure centre in Southampton has been fined by the ICO for taking sensitive medical information about over 2,000 people which he intended to use in setting up his own new fitness company. He was fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs. The manager previously worked as a community health promotions manager based at Bitterne Leisure Centre, and emailed the information to his personal account in 2011 after hearing he was being made redundant. He had previously been responsible for managing the council’s Active Options GP referral service, where patients would be referred by their GP or other health professional to attend fitness sessions for a range of conditions including obesity, diabetes, arthritis, and cardiac and mild mental health issues. The council became aware of their former employee’s actions when they received complaints about patients being approached by Mr Hedges. Read full story...

Nursing & Midwifery Council fined £150,000

15 February 2013—The Nursing and Midwifery Council has been fined £150,000 for breaching the Data Protection Act after losing 3 DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. The information was not encrypted. The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue; when the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they were never recovered. Read full story...

Trust fined £175,000 for publishing sensitive staff information online

6 August 2012—Torbay Care Trust, Torquay, Devon, has been fined £175,000 after accidentally publishing the sensitive details of over 1,000 employees in a spreadsheet on the trust’s website. The mistake was only brought to light 19 weeks later, when it was reported by a member of the public. The data included individuals’ names, dates of birth and National Insurance numbers, along with sensitive information about religion and sexuality. The ICO’s investigation found that the Trust had no guidance for staff on what information shouldn’t be published online and had inadequate checks in place to identify potential problems. Read full story…

NHS trust fined £60,000 for using wrong address

12 July 2012—The ICO has fined St George’s Healthcare NHS Trust, London, £60,000 after a vulnerable individual’s sensitive medical details were sent to the wrong address. The letters were addressed to the correct recipient—but they hadn’t lived in the property for almost 5 years. An ICO investigation found that the individual’s current address had been provided to the trust’s staff, and also logged on the national care records service, known as NHS SPINE, in June 2006. The trust’s staff failed to use the address, or check that the individual’s recorded address on their local patient database matched the data on the SPINE. Read full story…

Record £325,000 fine for Brighton & Sussex NHS Trust

1 June 2012—In the highest fine the ICO has ever imposed, Brighton and Sussex University Hospitals NHS Trust must pay £325,000 after a serious breach of the Data Protection Act. Highly sensitive personal data belonging to tens of thousands of patients and staff, which had been stored on hard drives, were sold on an internet auction site in 2010. They contained details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. They also included staff National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences. The breach occurred when an individual engaged by the trust’s IT service provider, Sussex Health Informatics Service (HIS), was asked to destroy approximately 1,000 hard drives held in a room accessed by key code at Brighton General Hospital. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual. The trust has been unable to explain how the individual removed at least 252 of the hard drives they were supposed to have destroyed. Read full story…

NHS trust fined £90,000

21 May 2012—Central London Community Healthcare NHS Trust has been fined £90,000 following a serious breach of the Data Protection Act, after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient. The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions. Read full story…

First NHS penalthy for data breach: £70,000

30 April 2012—A Welsh health board has become the first NHS organisation to be served a monetary penalty following a serious breach of the Data Protection Act. The Aneurin Bevan Health Board was fined £70,000 after a sensitive report, containing explicit details relating to a patient’s health, was sent to the wrong person. The error occurred when a consultant did not include enough information for a secretary to identify the correct patient. Due to the doctor also misspelling the patient’s name, the report was sent to a former patient with a very similar name. Read full story…

Compulsory audits are on the cards

13 October 2011—The ICO has said powers are needed to conduct compulsory data protection audits in local government, the health service and the private sector, because the ICO is being blocked from auditing organisations in sectors which are causing concern over their handling of personal information. At present, only central government departments are subject to compulsory data protection audits. Read full story…

Health service must get it right, says ICO

1 July 2011—The ICO has found a further 5 health organisations in breach of the Data Protection Act. The health service holds some of the most sensitive personal information of any sector in the UK, they say, and yet staff continue to lose information, put it on unencrypted memory sticks or fax it to the wrong number. In February 2011, Ipswich Hospital NHS Trust misplaced 29 patient records after a member of staff took them home to update a training log and then lost the records. Also in February, Dunelm Medical Practice in Durham sent discharge letters about two patient’s routine operations to the wrong recipient. Read full story...

Health authority loses laptop with over 8.5 million patient records

17th June 2011—A laptop containing unnamed patient information disappeared from a division of the NHS North Central London health authority, putting the privacy of patients at risk. The laptop was one of 19 others lost and contained the unencrypted health details of over 8.63 million people plus records of 18 million hospital visits, operations and procedures. Read full story...

One year to comply with new cookies law

25 May 2011—Organisations with websites aimed at UK consumers have up to 12 months to ‘get their house in order’ before enforcement of the new EU cookies law begins. The government has revised the Privacy and Electronic Communications Regulations, which come into force in the UK on 26 May, to address new EU requirements. The Regulations make clear that UK businesses and organisations running websites in the UK need to get consent from visitors to their websites in order to store cookies on users’ computers. Read full story...



© Data Protection Consultancy Ltd, 29 Shadwell Lane, Leeds LS17 6DP