recent work

More NHS Trusts breach Data Protection Act (DPA)

It has been confirmed by the Information Commissioner’s Office that 10,000 archived records were accidentally destroyed by Dartford and Gravesham NHS Trust, and as a result, the Trust has breached the DPA.

Lack of space meant the records – which should have been kept in a dedicated storage area – were left in a disposal room. They were destroyed between 28 and 31 December last year, but the hospital failed to realise the information had gone missing for three months.

It has been confirmed that the loss of these records ‘does not pose a clinical risk to data subjects affected by this incident’; but ut could not confirm how many of the records would have contained personal information. Some would have included names, addresses and some medical information relating to former patients and staff.

The ICO has requested that the Trust ensures its staff are made aware of, and regularly trained in, all policies and procedures relating to data protection and data governance.

Acting Head of Enforcement, Sally Anne Poole, said:
“Although the majority of information lost was several years old and only being kept for archiving purposes, there is no excuse for failing to keep it secure. The hospital should have ensured that the records were kept in a safe area – and, had they had adequate audit trails in place, they would have been able to keep track of where this information was at all times.”

In a separate incident, another NHS Trust, Poole, has signed an undertaking after midwifery patient records, contained within diary, were stolen from a midwife’s car. This information included names, address, and details of previous visits.

Both organisations were said to have now taken action to make sure the personal information they handle is protected. Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at, or call us on 01423 790125.