Stockport Primary Care Trust (SPCT) was guilty of a serious breach of the Data Protection Act (DPA), the Information Commissioner's Office (ICO) said.
The watchdog said that when SPCT sold an old site it had owned it failed to conduct proper checks to ensure that patient records had either been "removed or transferred". The purchaser of the site subsequently discovered boxes containing approximately 1,000 documents after SPCT had vacated the premises, the ICO said.
Within the documents was "patient identifiable data including work diaries, letters, referral forms and patient records" which included "confidential and highly sensitive personal data relating to over 200 data subjects including details about miscarriages, incontinence problems, child protection issues and a document from the police about the death of a child", it said.
"At the time of the security breach, [SPCT] was in the process of decommissioning the site and several Services were being moved to different locations around the area within a short period of time," the ICO said in its monetary penalty notice. (11-page / 141KB PDF) "Each Service within the site had been asked to ensure that confidential waste was ready for collection so that it could be disposed of securely but there was no specific guidance about who was responsible for ensuring its collection."
"The Commissioner understands that the Estates department was responsible for the buildings, fixtures, fittings and furniture and each of the Services was responsible for its records, property and any other contents. Therefore, the Estates department didn't conduct a thorough search before they locked the building because they assumed that it had already been cleared by the relevant Services," it said.
The NHS Commissioning Board will be responsible for paying the fine issued to SPCT after the Trust was decommissioned earlier this year. The ICO said that an aggravating factor behind its decision to fine SPCT £100,000 was the fact the Trust had experienced "two similar security incidents prior to this security breach" which had not been reported to senior management.
Under the DPA the ICO has the power to issue penalties of up to £500,000 for serious data breaches. The Act requires organisations to take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" and requires organisations to be extra protective over sensitive personal data, such as patient medical records, due to the harm that can result from its unauthorised disclosure.
Last year the ICO fined Belfast Health and Social Care Trust £225,000 after patient and staff records left at an abandoned hospital site were photographed by trespassers and posted on the internet.
"It's crucial that organisations don't take their eye off the ball when moving premises," David Smith, deputy Information Commissioner and director of data protection at the ICO, said. "[SPCT'S] efforts to keep its patients' confidential records secure were completely undermined by its failure to properly decommission the premises it was leaving. The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we've served is both necessary and appropriate."
"In the last year we have served two six figure penalties on organisations that have left large volumes of personal information behind when leaving a site. These penalties highlight the need for organisations to have effective decommissioning procedures in place and to make absolutely sure that these procedures are followed in practice," Smith added.
The ICO said that organisations moving premises should make information security a "priority", allocate responsibilities for moving files and that the integrity of data is kept intact when being moved. It also said firms should make sure that any files or hardware containing personal data to be deleted is done so "in a secure manner" and that organisations put policies in place "to make sure that security incidents are reported and acted upon so that you learn from your mistakes".