20 July 2013
Last week, the Information Commissioner's Office (ICO) issued NHS Surrey with a monetary penalty of £200,000 after more than 3,000 patient records were found on a second hand computer bought through an online auction site. The data was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey to wipe and destroy their old computer equipment. The ICO found that NHS Surrey did not have in place the necessary written contract with the data destruction company that would require it to act only on instructions from NHS Surrey (as the data controller) and to have appropriate technical and organisational measures in place to prevent unauthorised or unlawful processing and the accidental loss or destruction of, or damage to, personal data. The ICO also found that NHS Surrey failed to observe and monitor the data destruction process.