Breach details
| What | Loss of sensitive personal data. |
| How much | Two records. |
| When | 2011 |
| Why | Two letters containing confidential and highly sensitive personal data, relating to the subject’s medical condition, were sent to the wrong address, at which the subject had resided at 5 years previous. The patient’s current address had been provided when the patient was first referred to the data controller for a medical examination. It was also logged into the NHS SPINE, which was not aligned with iClip, the local patient administrative program. Staff involved with compiling the incorrectly addressed letters had received iClip training and were aware that addresses were not always in sync with SPINE, but no verbal checks of the data subject’s address were made. |
Regulatory action
| Regulator | ICO | Action | Monetary penalty of £ 60,000 |
| When | 12 July 2012 |
Why the regulator acted
| Breach of act | Staff were not trained in the importance of checking names and addresses and the PDS function on iClip could be bypassed. Inappropriate organisational and technical measures. |
| Known or should have known | Staff were used to dealing with such cases and it was known that many staff found the iClip system difficult to use and tended to bypass or disable the PDS. |
| Likely to cause damage or distress | Medical data. |
Links
| View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the St George’s Healthcare NHS Trust Monetary Penalty Notice (Via ICO Website) |