The Information Commissioner's Office (ICO) said that NHS Surrey had been guilty of a serious breach of the Data Protection Act (DPA).
The watchdog criticised NHS Surrey for switching providers of data destruction services to a company that offered its services for free without putting in place measures to ensure the data was being securely disposed of.
NHS Surrey had failed to put a contract governing data destruction in place with a company it used to destroy data held on its old computer systems, although the company did offer "written assurances" that the data would be destroyed, according to the monetary penalty notice the ICO served. (13-page / 157KB PDF)
The data destruction company offered NHS Surrey its services for free on the basis that it could sell the unwanted devices on and retain the proceeds from the sales itself. However, one individual who bought a second-hand computer on an online auction site found medical records still stored on the device and reported this to NHS Surrey.
NHS Surrey matched the computer's serial number to its destruction certificate and subsequently found that a further three of its old computers sold on the online auction site "contained confidential sensitive personal data".
"The Commissioner would expect [NHS Surrey] to have carried out a proper risk assessment and chosen a data processor providing sufficient guarantees in a written agreement that the hard drives would be physically destroyed and that destruction certificates containing serial numbers for each individual drive would be provided," the monetary penalty notice said.
"[NHS Surrey] should then have taken reasonable steps to ensure compliance with those measures such as effectively monitoring the destruction process and maintaining audit trails and inventory logs of hard drives destroyed by the company based on the serial numbers in the destruction certificates for each individual drive," it said.
Under the DPA data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
When outsourcing personal data processing to others, data controllers are required to select processors that can provide "sufficient guarantees" that they can properly meet the "technical and organisational measures" requirement and that they will "take reasonable steps" to "ensure compliance".
The data controllers must establish a written contract with data processors specifying that the processor may only undertake processing activities that the controller tasks them with, whilst the contract must also hold the processors to meeting the "technical and organisational measures" requirement of the DPA. The data controller is also responsible for those personal data security standards being met by the processors to which they outsource.
Further rules apply to outsourcing of personal data processing where processing takes place outside the European Economic Area.
The ICO said that more than 3,000 patient records that should have been destroyed were found on the old computers recovered by NHS Surrey.
"The facts of this breach are truly shocking," Stephen Eckersley, the ICO's head of enforcement, said in a statement. "NHS Surrey chose to leave an approved provider and handed over thousands of patients' details to a company without checking that the information had been securely deleted. The result was that patients' information was effectively being sold online."
"This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free," he added.
