Breach details
| What | Personal data including information on physical or mental health. |
| How much | An unknown number of incidents including the faxing of confidential service user information to the wrong recipient and the inappropriate disclosure of personal data to professionals working with the Trust. |
| When | An unknown period, dating to at least May 2011. |
| Why | A number of security incidents led to the Commissioner’s investigation into the Trust. It was discovered that most of the staff involved in these incidents had not received the supposedly mandatory Information Governance training, and the Trust failed to monitor and enforce staff completion of training. This led to staff being unaware of Information Governance policies. |
Regulatory action
| Regulator | ICO | Action | Undertaking to comply with the seventh data protection principle. |
| When | 13 August 2013. |
| Details | From the date of this undertaking staff are to be made aware of policies regarding the storage and use of personal data and are given appropriate training in this and in dealing with security breaches. Measures should be put in place to ensure that staff attend all mandatory training. In addition, portable devices used to store personal data must be encrypted. |
Links
| View PDF of the Northern Health and Social Care Trust Undertaking (Breach Watch Archive) |
| View PDF of the Northern Health and Social Care Trust Undertaking (Via ICO Website) |
Follow Up
| The ICO conducted a follow up assessment in December 2013 (published on 10 January 2014). |
| View PDF of the Northern Health and Social Care Trust Follow Up (Breach Watch Archive) |
| View PDF of the Northern Health and Social Care Trust Undertaking Follow Up (Via ICO Website) |