Investigation launched following discovery of medical records in a skip
Following the discovery of medical records in a skip outside the former offices a law firm, an investigation has been launched by the ICO.
Following the discovery of medical records in a skip outside the former offices of Woodward Solicitors, a law firm based in St Helens, Merseyside, an investigation has been launched by the Information Commissioner’s Office ("the ICO"), the UK's independent body set up to uphold information rights.
The documents related to personal injury claims and included names, home addresses and NHS numbers of patients, as well as descriptions of symptoms and treatments relating to various injuries. Some documents even recorded individuals’ weekly alcohol intake, weight, previous ailments and personal medical conditions.
This is not the first such data breach involving NHS data. In 2009, the NHS itself was reported to have experienced 140 security breaches in four months, including documents left in a skip.
The Data Protection Act 1998 ("the DPA") covers personal information including health records. A health record is any record of information relating to someone's physical or mental health that has been made by (or on behalf of) a health professional.
The ICO has now launched an investigation, and is speaking with senior staff at the firm. There are several enforcement options available where there has been a serious legislative breach. These include enforcement notices and monetary penalty notices, which could involve a fine of up to £500,000.
Woodwards moved office 18 months ago and the firm was in the process of clearing remaining property out of its former premises. Director Tim Wood said that the medical records had previously been secure in the office. In a statement to Legal Futures, Wood said "it shouldn’t have happened. We are fastidious in our approach to data protection, with a shredding company we’ve used for years." Wood stated that the sealed box of documents appeared to have been placed in the skip by workers during weekend clearance works. "They must have assumed it was rubbish and dumped it in the skip with the rest."
In 2015 the Court of Appeal ruled, in the case of Vidal-Hall v Google, that compensation under the DPA could be awarded for distress alone, although this aspect of the judgment has been appealed by Google and will now be heard by the Supreme Court. The ICO will review this guidance once the Supreme Court has issued its judgment. This could have serious implications for this type of case in the future which involves highly sensitive data.
Following several high-profile electronic data breaches, such as TalkTalk’s breach in October 2015 which affected over 160,000 customers, the Woodwards episode emphasises the importance of stringent training and security measures in relation to hard copy data.
Training, governance and controls to influence behavioural change are essential - all too often it is human error, not hackers, that is the biggest threat to an organisation's information assets.
Ed Lewis, Partner at Weightmans LLP and specialist in Cyber and Privacy law, commented: "It's inevitable in light of this latest high-profile data breach that consumers will once again be outraged at the ease with which their personal information can fall into the wrong hands. Any business handling data must ensure that its staff and suppliers understand the value of personal information and recognise the importance of guarding it with the same care as they would financial assets."