The healthcare industry continues to live up to its reputation for suffering the most data breaches after the Information Commissioner’s Office (ICO) found Healthcare Locums Plc (HCL) in breach of the Data Protection Act (DPA).

HCL, which is a specialist healthcare recruitment agency, lost a hard disc drive (HDD) that contained personal data of the doctors it employed, such as their security clearances and visa information.

The issue came to light when the HDD was returned to HCL by a member of the public after it had been sold on an online auction website.

Missing In Transit

It seems that the HDD had gone missing whilst it was being transferred from HCL’s Skipton branch to its branch in Loughton earlier this year. But as no inventory list had been created for the transfer, HCL failed to realise the storage device had gone missing until it was reported by a member of the public.

“This breach highlights the importance of making sure personal information is transported in a way that complies with the Data Protection Act,” said Sally Anne-Poole, Enforcement Group Manager at the ICO in the ruling. “I am pleased that Healthcare Locums is taking remedial steps to make sure incidents like this one do not happen again.”

Meanwhile, Mo Dedat, Chief Operating Officer of Healthcare Locums Plc, has signed a formal undertaking outlining that the organisation will ensure contracts are put in place between the organisation and any contractors it uses to process personal data on its behalf. It will also ensure that itineraries of equipment used to process personal data are maintained and updated in order to ensure any similar incidents are detected quickly and handled appropriately.

The loss of storage media is unfortunately commonplace nowadays. For example, in early September a memory stick said to contain anti-terror training manuals was discovered outside a Manchester police station. In May, a NHS worker in the secure mental health unit of a Scottish hospital was suspended, after he lost a USB stick containing patients’ medical records.

Other recent breaches include DSG Retail Ltd, (the owner of PC World), being slapped over the wrist by the ICO after eight completed customer credit agreements containing personal and financial details were discovered in a skip outside one of its PC World stores.

Still No Fines

Despite numerous other examples, the ICO has yet to issue any fines. In June, for example, the ICO published a list of all the data breaches reported since 2007. Of the 1,007 reported breaches, the NHS was responsible for 305.

The ICO has previously warned businesses that if they do not own up to data breaches, they will face tougher action than those that come forward of their volition. Companies that fall foul of data breach laws risk a maximum fine of £500,000 under powers granted to the ICO in January this year.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago