Kent PCT loses 1.6m patient records

Eastern and Coastal Kent Primary Care Trust has been rapped by the Information Commissioner's Office for mislaying an unencrypted CD containing 1.6m patient records.

Fortunately, the PCT knows where the CD is: in a filing cabinet that has been sent to a landfill site.

The ICO says Eastern and Coastal Kent Primary Care Trust has ‘strengthened’ its information governance procedures since the incident.

The CD holding the address, date of birth, NHS Number and GP practice code of about 1.6m patients was accidentally left in the filing cabinet that was sent to landfill during an office move.

Once the error was realised, a data controller attempted to retrieve the CD, but it had already been disposed of and could not be recovered.

An investigation by the Information Commissioner’s Office found the team concerned with moving the office furniture was not up to date with information governance training and had not accessed relevant guidance on how to dispose of the CD.

An ICO spokesperson said: “While there is no evidence to suggest that any of the data was accessed, this case highlights that clear policies and procedures should be put in place to support staff when handling personal information as part of an office move.”

The ICO decided not to serve an enforcement notice on conditions that the trust updated its policies and procedures.

The PCT's chief executive, Ann Sutton, said it had carried out its own investigation of the incident and a set of recommendations and learning points are being implemented.

“We have already strengthened our information governance policies, procedures and training on the basis of our internal investigation of the incident.

"The Information Commissioner’s recommendations to improve them further will be implemented fully.”

Sutton said the breach was “unfortunate”, but data storage was already much more secure.

“I would like to reassure patients that the data stored in the filing cabinet was not current – the most recent information was from 2002. There was no clinical data involved and the data is beyond retrieval.

“It is important to stress that information systems now are far more secure than they were at the time these files were produced – we no longer store information on floppy disks or CDS and use sophisticated systems of encryption.”