A PCT that lost a CD containing the personal information of 1.6 million people has sought to reassure patients the disk “contained no clinical data”.
The CD did however include people’s addresses, date of birth, NHS number and GP practice codes.
The incident came following an Eastern and Coastal Kent Primary Care Trust office move, where staff were instructed to dispose of a filing cabinet containing the CD.
As staff were not aware of the existence of the CD, the filing cabinet was sent to a landfill site, and according to the Information Commissioner’s Office (ICO), the CD has not yet been recovered.
The Information Commissioner chose not to exercise his power to serve an Enforcement Notice to the PCT.
Instead, the Trust has committed to taking action in bringing in clear policies and procedures for when moving offices, improve staff training and up security against unauthorised and unlawful processing, accidental loss, destruction and damage of personal records.
Following the investigation, Ann Sutton, chief executive of the PCT under investigation, sought to reassure patients the data on the CD was not current, did not included clinical information and was beyond retrieval.
“We have already strengthened our Information Governance policies, procedures and training on the basis of our internal investigation of the incident. The Information Commissioner’s recommendations to improve them further will be implemented fully,” said Sutton.
“While the breach was unfortunate, I would like to reassure patients that the data stored in the filing cabinet was not current – the most recent information was from 2002. There was no clinical data involved and the data is beyond retrieval.
“It is important to stress that information systems now are far more secure than they were at the time these files were produced – we no longer store information on floppy disks or CDs and use sophisticated systems of encryption.”