First NHS fine issued by ICO

Aneurin Bevan Health Board has become the first NHS organisation to be fined by the Information Commissioner’s Office following a serious breach of the Data Protection Act.

The board has been fined £70,000 for emailing a report about the treatment of a mental health patient to the wrong person.

The error occurred following a series of errors by members of staff at the trust. First, an un-named consultant emailed a letter to a secretary for formatting.

This included two different spellings of the patient’s name, but failed to include any other unique identifier, such as their hospital number or NHS Number.

Then, the secretary chose the wrong patient from the board’s electronic patient record system to send the report to.

As a result, a letter containing “confidential and highly sensitive personal data, including a report from the consultant detailing contacts with the patient over a period of five to six months” was sent to the wrong person.

A monetary penalty notice issued by the ICO says the secretary was used to letters arriving in this state, and their line manager had “permitted this method of work so that an effective service could be provided across multiple sites.”

The ICO found that the Aneurin Bevan had failed to take “measures against unauthorised processing of personal data” and that the error was likely to cause “substantial distress.”

In addition to the penalty, Aneurin Bevan has signed an undertaking to address the concerns expressed by the ICO during its investigation.

This includes ensuring that all staff are made aware of and trained on the organisation’s policies on the use of personal data and that there is regular monitoring of compliance with policies on data protection and IT security.

New checking procedures will also be implemented across all sites to confirm a patient’s identity before personal information is sent out.

Stephen Eckersley, the ICO’s head of enforcement said: “The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious.

“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure.

“This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.

“We are pleased that the health board has now committed to taking action to address the problems highlighted by our investigation.

"However, organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”