recent work

Civil monetary penalty issued to Belfast Health and Social Care (BHSC) Trust

A civil monetary penalty has been issued to Belfast Health and Social Care (BHSC) Trust after the ICO confirmed that it had made a ‘serious breach of the Data Protection Act’.

Belvoir Park Hospital was left disused after a merge of 6 sites in April 2007. Although security measures were put in place to protect the many patient records that were left in the buildings (some of which dated back to 1950), trespassers managed to access the site quite freely in March 2010 – they took photographs of some records, and posted them online.
While the Trust took action to improve the security of the site, including repairing damaged doors and windows, on 11 April 2011, the Irish News reported that it was still possible to access the site without authorisation. The Trust then increased the number of security guards on site and carried out a full inspection which revealed further records, many of which were being retained in breach of the Trust’s ‘Records Retention and Disposal’ policy.
The Trust failed to report the situation at the Belvoir Park site to the ICO. The ICO’s investigation found that the Trust failed to keep the information secure and also to securely destroy medical documents which it no longer required.
The ICO’s Assistant Commissioner for Northern Ireland, Ken Macdonald, said:
“The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised.
“The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the Internet.

“The Trust has therefore failed significantly in its duty to its patients, and we hope that the action we’ve taken sets an example for all organisations that they must keep personal data secure, irrespective of where they choose to store it.”
The Trust has now removed patient records from the site and examined them and either retained or securely disposed of them as required. A decommissioning policy has also been implemented by the Trust to ensure that personal information is securely destroyed once it is no longer needed.