Breach details
What | Loss of sensitive personal information. |
How much | 79,000 records. |
When | March 2008 |
Why | Initially four hard drives sold eBay in October and November 2010 were found to contain were found to contain sensitive personal data of both patients and staff. Despite the Trust’s assurance that these were the only drives lost, further hard drives were recovered by the ICO after being sold on eBay. The Trust was unable to explain how an unnamed individual, who was sub-contracted by a sub-contractor to the IT supplier to the Trust to destroy the 1,000 hard drives, managed to remove at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on the premises. Despite the security precautions taken there were insufficient records taken to provide a reliable audit trail of which hard drives were and were not destroyed. |
Regulatory action
Regulator | ICO |
Action | Monetary penalty of £ 325,000 |
When | 1 June 2012 |
Why the regulator acted
Breach of act | Failure to select a data processor able to provide gurantees of technical security – loss of hard drives. Inappropriate organisational and technical measures. |
Known or should have known | Data controller was used to dealing with such information on a daily basis and the huge volume of personal data on the hard drives was an obvious risk. |
Likely to cause damage or distress | Medical Data of Patients. |