Although it has a well structured, well run and reasonably well resourced security management service, the NHS still seems to struggle with some aspects of compliance with the Data Protection Act. As a result, another NHS trust has fallen foul of the Information Commissioner’s Office (ICO) and fined a significant amount of money.
Based on the ICO’s press release, it appears that NHS Surrey had outsourced the disposal of its computers and related assets. Unfortunately, after 2 years, they were notified by a member of the public that a disk purchased from eBay contained patient data.
According to the press release, when NHS Surrey collected the computer and processed it, they discovered records belonging to 900 adults and 2000 children. Faced with this information, the trust was able to recover 39 further devices from the trading arm of the data destruction provider. Of this batch, 10 were previously owned by NHS Surrey and three contained sensitive patient data.
NHS Surrey appear to have entered into an arrangement whereby the data disposal company removed the devices for free on the grounds that they could sell on any salvageable materials. From the ICO’s report, this appears to have been a bit of an informal arrangement and no contract was in place and no monitoring conducted.
Stephen Eckersley, Head of Enforcement, described this as “one of the most serious the ICO has witnessed” with the following points noted in the press release:
The ICO’s investigation found that NHS Surrey had no contract in place with their new provider, which clearly explained the provider’s legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process.
NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.
This is similar to the incident reported last year where the Scottish Borders Council was fined £250,000 for failing to protect data during the disposal process and personal data ended up in public waste bins.
One major difference is that, unlike the local Councils in the UK, the NHS has a well structured, centrally managed system to enforce security compliance on third party suppliers. It appears to have failed here.
Lessons learned from the NHS – Supplier Security Management
There is a lot that can be learned here, even if you don’t work for the NHS. If you handle personal data or if you just have commercially sensitive information, you need to make sure you dispose of your assets properly. If your files end up on eBay then you face a regulator fines, loss of competitive advantage and reputational damage.
You can avoid this. Quite easily actually.
The Data Protection Act is quite clear about the obligation and the 7th principle states
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Even if you don’t process personal data, this is a good principle to adhere to when it comes to protecting your corporate data.
With this in mind, there are some steps you can take to avoid following NHS Surrey’s footsteps:
- Have a policy and plan in place to manage your information lifecycle. This needs to document how you create, maintain and dispose of all your information assets.
- Keep an accurate, and well maintained record, of where your sensitive information is stored. You should always be able to tell if a hard disk has had “important” information on it or not.
- If you outsource your disposal you absolutely must make sure there is a robust contract in place. This contract must oblige the service provider to securely dispose of any data. If nothing else, this means that in the event some data surfaces, you have options to protect yourself.
- Make sure you manage your disposal process. In-house or outsourced, you should nominate a suitable person to be responsible for ensuring data is properly disposed.
Following these four steps will help you avoid following in the footsteps of NHS Surrey and the Scottish Borders Council. More importantly, it will help you avoid you suffering a fine in the region of £200,000.
Good supplier security management is not free, but it is a lot cheaper than the alternatives.