ICO fines NHS Surrey £200,000 after 3,000 patient records sold on eBay

Failure to do due diligence on a new data destruction provider comes back to haunt Trust

The ICO is to fine the NHS Commissioning Board £200,000 after it was discovered that NHS Surrey allowed old computers containing around 3,000 patient records to be sold on auction website eBay.

NHS Surrey was dissolved in March 2013, leaving the NHS Commissioning Board now eligible for the fine, which must be paid by 22 July.

The ICO's head of enforcement, Stephen Eckersley, said, "The facts of this breach are truly shocking. NHS Surrey chose to leave an approved data destruction provider and handed over thousands of patients' details to a company without checking that the information had been securely deleted.

"The result was that patients' information was effectively being sold online. This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case.

"We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free," added Eckersley.

"Performing due diligence on sub-contractors and ensuring that no sensitive data is put at risk as they perform their tasks should be a matter of course, for the NHS or for anyone," said Chris McIntosh, CEO of data security firm Viasat UK.

"However, at the same time when dealing with such sensitive information it should be protected from unauthorised access from cradle to grave: for example, if such data was encrypted when first stored then even a slip-up in disposal would not put it in danger of being compromised."

McIntosh commented that increasing financial pressure is likely to see security sub-contracting become more common in the public sector, and it is thus imperative that a contractor's data protection is under as much scrutiny as the NHS's own, "even if it means choosing a more costly option".