Stockport Primary Care Trust

Breach details

What Patient identifiable data was left in a decommissioned building.
How much About 1000 records, including 200 containing highly sensitive personal data.
When 2010-2011
Why Boxes of paper records were left in a decommissioned building, in full view of prospective purchasers of the building. The eventual purchaser opened the boxes and discovered the information, some relating to people known by the purchaser.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 100,000
When 30 May 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against the accidental loss of 1,000 documents, some of them containing sensitive personal data.
Known or should have known The NHS trust was used to handling sensitive personal data and would have known such information was stored on the site but did not take ‘reasonable steps’ to safeguard the data such has having a decommissioning policy.
Likely to cause damage or distress There was the potential for substantial distress as data subjects would know that their sensitive personal data had been accessed by an unauthorised party and that the data might be further disseminated. This was exacerbated as some data subjects were known to the data controller.