|Loss of sensitive personal data.
|24 March 2011
|A secretary accidentally sent a letter containing sensitive personal information to the wrong person. The correct patient’s surname had been spelt two different ways by a doctor and the letter lacked any other identifiers, and the secretary accidently chose the wrong record from the electronic patient record system.
|Monetary penalty of £ 70,000
Undertaking issued to ensure that the checking processes to confirm patient identity prior to issuing correspondence, recommended by an internal investigation, must immediately be adopted across all the data controller’s sites.
|30 April 2012
Why the regulator acted
|Breach of act
|Letter sent to the wrong recipient. Letters should not be dispatched without being checked by management.
Inappropriate organisational and technical measures.
|Known or should have known
|Staff were used to dealing with sensitive data, but management allowed secretaries to simply rely on the electronic system rather than double checking.
|Likely to cause damage or distress