The Information Commissioner’s Office (ICO) has announced that a Welsh health board has become the first NHS organisation to be fined following a serious breach of the Data Protection Act. The Aneurin Bevan Health Board has been fined £70,000 after a sensitive report that contained details relating to a patient’s health was sent to the wrong person.
The ICO said that the error occurred when a consultant emailed a letter to a secretary for formatting, but failed to include enough information for the secretary to identify the correct patient. Subsequently, a misspelling of the patients name led to the report being sent to a former patient with a similar name.
The ICO found that neither members of staff had received data protection training and the organisation lacked the ‘adequate checks’ to ensure that personal information remained secure.
Sadly this kind of mistake is not an isolated incident and is yet another example of how poor administration can have extreme implications for our privacy. Big Brother Watch has highlighted cases of the NHS being less than careful with our data in the past and this incident shows that the NHS needs to get a grip on data protection urgently before patients lose faith in the system and begin to withhold important information from doctors out of fear that it may be lost or used inappropriately.
It is incredible that the Information Commissioner still requires permission from individual NHS bodies to investigate if they are failing to protect patient information. The Commissioner should be able to spot check any organisation to ensure privacy is being taken seriously.