Patient records left at bus stop

The ICO has found an NHS Trust to be in breach of the Data Protection Act

Compliance with the Trust’s policies on data protection will be monitored

The Information Commissioner’s Office (ICO) has found Royal Wolverhampton Hospitals NHS Trust to be in breach of the Data Protection Act (DPA) following the loss of more than 100 patient records.

An unencrypted CD lacking even basic password protection and containing the sensitive medical records of 112 patients was found at a bus stop near the hospital.

Mick Gorrill, head of enforcement at the ICO, said: "The fact that this information was several years old is of no consequence – patients’ personal data should always be handled in accordance with the Data Protection Act. I am pleased that the Trust has agreed to take remedial steps to ensure such an incident does not happen again."

Mark Fullbrook, UK and Ireland director at Privileged Identity Management and information security expert at Cyber-Ark, said: "With the ICO yet to use its powers to issue heavy fines to organisations in breach of the DPA, the Royal Wolverhampton Hospitals NHS Trust should count itself very lucky.

"What is particularly disappointing in this case is that, with so many better-enabled devices and means of storing information, should this highly sensitive information have really been held and transported by CD? The Trust could not even explain how and why an unprotected CD with patient records was produced in the first place."

The Trust has agreed to sign a formal undertaking agreeing that it will follow DPA guidelines in future. Compliance with the Trust’s policies on data protection and records management will also be regularly monitored.