NHS Surrey

Breach details

What Loss of personal data and sensitive personal data.
How much Approximately 1,570 hard drives. An unspecified number of records.
When 08 March 2010 – 02 July 2012
Why Between 08 March 2010 and 28 May 2012 hard drives containing sensitive personal data were collected for destruction and disposal by a company claiming to specialise in IT disposal. On 29 May 2012 it was found that PCs containing these hard drives were being sold by a third party company via an online auction site. So far ten of the supposedly destroyed hard drives have been reclaimed. The data controller has been unable to trace the destinations of the remaining PCs.

BW Comments

Disposal of drives is a recurring topic for information security professionals and the Commissioner. As it is easy to select a company with independent certification it really is unbelievable that organisations continue to contract with random companies that claim to offer destruction services. This MPN should also act as a reminder that a ‘certificate of destruction’ is just a piece of paper – there’s no substitute for watching your old hard drives being put through an industrial shredder.

Regulatory action

Regulator ICO
Action Monetary penalty of £200,000.
When 18 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: NHS Surrey failed to ensure the physical destruction of personal data stored on its hard drives. No proper risk assessment of the data processor was taken; there was no written contract with the data processor requiring the company to comply with regulations; and NHS Surrey did not take appropriate steps to ensure complaince with the regulations.
Known or should have known NHS Surrey was used to dealing with confidential and personal data on a daily basis and should have known that there was a risk that contravention could occur unless reasonable steps were taken, particularly as some of the ‘Data Devices Destroyed’ certificates issued before January 2011 stated that the hard drives had been ‘wiped/destroyed/recycled’. This project should have been afforded the highest level of security.
Likely to cause damage or distress Data subjects are likely to have suffered substantial distress knowing that their personal data has been retrieved by a member of the public and might have been offered for sale to unauthorised third parties. They could also be concerned that their data might be further disseminated.

BW Observations

This case is very similar to the Brighton and Sussex University Hospitals NHS Trust case, although here NHS Surrey moved quickly to rectify the problem and didn’t compound the problem by its own actions. In the MPN the ICO made an indirect reference to the Brighton and Sussex case but levied only 60% of the penalty (£200K vs £325K) on NHS Surrey for losing a around 60% more disks (1,570 vs 1,000).