Liverpool Community Health Data Breach (2015)

The outsourcing firm Capita has been responsible for a breach of NHS employees' personal data in Liverpool, according to board papers. The company, which was providing human resources services to nine trusts in Liverpool until last year, mistakenly sent details of staff at other Merseyside trusts to Liverpool Community Health Trust's HR department. The trusts in the "Merseyside consortium" transferred payroll and recruitment services to Capita HR Solutions in 2012. However, the contracts were terminated last year following claims of problems with staff payments and recruitment delays. In November one of the organisations in the consortium, Mersey Care Trust, revealed in its board papers that "information governance issues" had been uncovered when the services were taken back in house. According to the papers, Capita was involved in a "potential breach" relating to a "number of local NHS organisations". The Walton Centre Foundation Trust coordinated the response to the breach on behalf of the consortium. A trust spokeswoman said the consortium was "aware of a possible issue relating to the handling by an external supplier of some of our staff data". "Our concerns focus on the possibility that this supplier may have incorrectly shared details of some staff employed by say consortium member 'x', their employer, with consortium member 'y', who does not employ them." She said the concerns had been reported to the Information Commissioner's office and that the consortium's own investigations are ongoing. "We will continue to work with regulators, the supplier in question, staff side representatives and others to resolve this important matter to the satisfaction of all concerned," she added. A spokesman for Capita revealed that the information had been shared with Liverpool Community Health Trust. He said: "Capita HR Solutions wrote to the Information Commissioner's office on 24 October 2014 to inform it that it had mistakenly returned a small number of paper files relating to other trusts to the HR department of Liverpool Community Trust. "All the information has been recovered and correctly re-sent," he said. "The business takes data protection seriously and this incident has triggered a formal review of its data transfer processes and protocols."