ICO Fines NHS Surrey Over “Truly Shocking & Disturbing” Data Destruction

19 July 2013
6 minute read
ITAM News & Analysis

ICO Fines NHS Surrey Over “Truly Shocking & Disturbing” Data Destruction

19 July 2013
6 minute read

300px-NHS-LogoThe Information Commissioner’s Office (ICO) has issued NHS Surrey with a monetary penalty of £200,000 after more than 3,000 patient records were found on a second hand computer bought through an online auction site.

The sensitive information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey since March 2010 to wipe and destroy their old computer equipment.

Head of Enforcement at the ICO Stephen Eckersley has called this breach “truly shocking” with “disturbing circumstances” involved — the penalty reflects the disturbing circumstances of the case, he said.

Eckersley detailed how NHS Surrey has chosen to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted.

NOTE: The data destruction company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed — the result was that patients’ information was effectively being sold online.

“A CIO once said to me in a meeting “I can’t afford free” and for this NHS trust how wise those words now are. At face value, an free IT disposal service is very attractive but only when the vendor selected shows themselves to be both professional and ethical and in this case the vendor in question was neither leaving NHS Surrey to pick up a hefty fine,” said Steve Mellings of the Asset Disposal & Information Security Alliance (ADISA).

Mellings also noted that it is hard for end users to know who to trust, which is why the ADISA certification programme exits. Certified companies undergo annual and on-going independent auditing and if they don’t consistently meet set standards — then they are removed from the programme.

“This coupled with the free monitoring service gives end users confidence that their suppliers are not only best of breed but are also being continually monitored and assessed which will go some way to ensuring that these issues don’t happen in the first place,” added Mellings.

After being alerted to the problem, NHS Surrey managed to reclaim a further 39 computers sold by the trading arm of their new data destruction provider. Ten of these computers were found to have previously belonged to NHS Surrey; three of which still contained sensitive personal data.

Barb Rembiesa, CEO of the International Association of Information Technology Asset Managers (IAITAM) has said that any time sensitive personal data is breached it is a concerning situation.

“As technology continues to mature and organisations refresh and upgrade equipment the proper disposal of these assets are extremely important.  IT Asset Disposal is no different than any other IT Asset Management process, organizations need to be making sure proper acquisition from a vendor, knowledge of all applicable regulations, processes to ensure execution of service are all taking place to protect the data of their patients or customers as well as protecting their organization from potential fines and regrettable incidents from occurring,” said Rembiesa.

“IT Asset Management is the cornerstone for most business practices, a company today can not exist without technology and if you are not managing your technology you are not managing your business. IT Asset Management effects all drivers of business, Financial, Productivity, and Risk. In this instance, Risk is highlighted in the breach of personal data, having a solid foundation of IT Asset Management in place could have easily mitigated this risk to the organisation,” she added.

The ICO’s investigation found that NHS Surrey had no contract in place with their new provider, which clearly explained the provider’s legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process.

NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.

Robin Gue, chairman of The ITAD Works has said that this news and the subsequent fine should act as a warning for all organisations, not just the NHS.

“The fine imposed in this instance is significant but the broader risks and consequences to an organisation of failing to impose robust solutions for IT Asset Disposition (ITAD) could potentially be far greater. The same level of attention to detail that is applied when an organisation is using technology hardware needs to be applied when transitioning hardware out,” he said.

Gue also explained that any contractor that offers to work free-of-charge should start big alarm bells ringing. The infrastructure, technical skill and experience required to manage this critical segment of the IT lifecycle is not insignificant.

“Industry standards like those managed by ADISA and e-Stewards are designed to help organisations make an informed choice for a downstream vendor that will protect their interests. Of course, NHS Surrey must shoulder the responsibility for their approach and failure to manage a contractor that was obviously at fault for not carrying out the work to the required standard. But also, for those of us in the ITAD industry (including suppliers and certification bodies) we must also step up and engage with the NHS more successfully than we perhaps have in the past, providing not only our services but also education to help organisations make good, informed decisions,” he added.

NHS Surrey was dissolved on 31 March 2013 with some of their legal responsibilities passing to the NHS Commissioning Board. The board will be required to pay the penalty amount by 22 July or serve a notice of appeal by 5pm on 19 July. The full penalty amount is eventually paid into the Treasury’s Consolidated Fund.

Can’t find what you’re looking for?