recent work

Two UK health organisations guilty of Data Protection Acct (1998) breaches

Many organisations keep paper records of their customers, clients and transactions. Many of these paper records include private and confidential information. The ICO has today warned of the need to keep the management systems of paper records more robust after two healthcare organisations; NHS Liverpool Community Health and the Council for Healthcare Regulatory Excellence (CHRE), have both recently been found guilty of breaching the Data Protection Act (DPA) and have signed formal undertakings as a result.

NHS Liverpool lost papers regarding the medical history of 31 children and their birth mothers, when moving premises in 2010. It was confirmed that the removal company used had no formal contract in place in relation to handling personal data, which is a requirement of the Act.

The CHRE has possibly lost complaint files containing sensitive personal data. Due to weaknesses in CHRE’s document recording, administration and communication processes the organisation cannot be certain if the information was ever received or whether it was subsequently lost or destroyed. As a result, they have also been found guilty of breaching the Act.

Acting Head of Enforcement, Sally Anne Poole, said:
“These incidents highlight significant weaknesses in both organisations’ data handling procedures. While we are pleased that NHS Liverpool Community Health and CHRE have both agreed to review their existing security procedures and processes, these incidents should act as a warning to other organisations who handle sensitive papers of the need to make sure their paper records management processes are as robust as their electronic data systems. The protection of data in all formats must be taken seriously.”

To read the report in full go to now.

Full copies of both undertakings can be viewed here:

Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment. By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at