Grampian Health Board Data Breach (2014)

Scottish NHS organisation warned over mishandling of data after sensitive information abandoned in supermarket The Information Commissioners Office (ICO) has ordered the Grampian Health Board to clean up its act after suffering six data breaches in thirteen months. The data protection watchdog said the healthcare organisation had to take action to ensure patient information is better protected. The ICO listed a series of incidents, including the abandonment of sensitive personal data in public areas of the hospital and one case where patient data was found at a local supermarket. All of the papers were returned to staff, with the final incident occurring on 28 March 2014. The regulator's investigation found the same mistakes continued to occur because NHS Grampian didnt have an information register identifying the personal information held and the department responsible for looking after it. This gap in procedures resulted in the organisation failing to take sufficient remedial action, the ICO ruled. It also previously alerted NHS Grampian to this oversight during an audit carried out in December 2011, but the organisation failed to act. ICO assistant commissioner for Scotland, Ken Macdonald, said: Its a fundamental requirement of the Data Protection Act that organisations understand what personal information they hold and who is responsible for looking after it on a day-to-day basis. NHS Grampian failed to do this, despite committing to addressing this problem when our office highlighted it as an issue during an audit three years ago. We hope this enforcement notice gives the organisation a further chance to put their house in order and look after the information of the people they serve. Mr Macdonald said failure to comply with the notice was a criminal offence. If any further breaches occur, we do not rule out taking further regulatory action, including fining the organisation up to 500,000, he added. The health board has until 29 June 2015 to complete an information asset register.