North Staffordshire Combined Healthcare NHS Trust

Breach details

What Sensitive personal data (medical) faxed to an incorrect recipient.
How much 3 records.
When August and September 2011
Why Three faxes containing just about every category of sensitive personal data were sent to the wrong recipient. This breach of confidentiality occurred despite the trust having both a secure fax environment and appropriate procedures in place which included call-ahead and a requirement to use pre-programmed destinations. The breach occurred because members of staff were unfamiliar with the policy, so didn’t call ahead and manually dialled the (wrong) recipient’s number.

Regulatory action

Regulator ICO
Action Monetary penalty of £55,000
When 11 June 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the trust had insufficient management controls and did not provide the appropriate training for the staff.
Known or should have known The trust was aware that there was risks sending information by fax because it had introduced the safe haven and best practice. It should have known that the best practice guidelines needed to be backed up by training and management controls.
Likely to cause damage or distress The Commissioner’s usual argument that the data subjects, some of who were vulnerable adults, may have suffered distress knowing that their medical data had been read by an unauthorised third party.