PLEASE NOTE: Information in this article is correct at the time of publication, please contact DFA Law for current advice on older articles.
A recent case serves as a reminder to organisations that handle personal data of the importance of following appropriate procedures when the need arises to destroy information held on computers that are no longer required.
Under the Data Protection Act 1998, a data controller is required to ensure that ‘appropriate technical and organisational measures’ are taken ‘against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’. This is the seventh of eight data protection principles outlined in the Act.
Where an organisation outsources the processing of personal data, the data controller must choose a data processor that provides sufficient guarantees in respect of the security measures governing the processing to be carried out and take reasonable steps to ensure compliance with those measures. In such circumstances, the data controller is not considered to have complied with the seventh principle unless the processing is carried out under a written contract, the data processor is to act only on instructions from the data controller and the contract requires the data processor to comply with obligations that are equivalent to those imposed on a data controller by the seventh principle.
Although it had an existing arrangement for data destruction services with an approved contractor, NHS Surrey decided to use the services of a company that offered to do the work for free on the basis that it could then profit from the sale of the unwanted devices. There was no contract in place, although the company did offer written assurances that the data would be destroyed.
A member of the public who bought a second-hand computer in an online auction subsequently informed NHS Surrey that the device contained confidential medical information. On investigation, NHS Surrey found that many of the files contained confidential sensitive personal data including patient records relating to approximately 900 adults and 2,000 children. The hard drive’s serial number was checked against the destruction certificate and was identified as one of a batch of machines dealt with by the new company. Further investigations uncovered three more computers that had been sold in the same auction and which still contained confidential sensitive personal data.
The Information Commissioner’s Office said that it was one of the most serious data protection breaches it had witnessed and issued NHS Surrey with a £200,000 fine.
For advice on data protection law, contact us.