What
Loss of sensitive personal data.
How much
About 60 records.
Why
Personal data relating to over 60 patients were found in a garden in Newcastle-under-Lyme. This followed an office move during which an external company was retained to clear out scrap and rubbish from vacated premises.
Regulator
ICO
Regulatory action
Undertaking issued to ensure that in all cases where third party supplies of goods or services will have access to personal data, a written contract must be entered into prior to work beginning which covers data security requirements. Staff must be made aware of the data controller’s policy for the storage and use of personal data and be appropriately trained to follow that policy.
Reason for action
The data controller did not enter into any written contract with the external company, nor where its actions appropriately supervised. It was noted during the clearance operations that boxes of data were being disposed of in open skips, but the data controller failed to react to this in time to prevent loss of some records.
When
27 July 2009
Links
View PDF of the East Cheshire NHS Trust Undertaking (Breach Watch Archive)