ICO rebukes Wolverhampton Hospitals

It has said the trust was guilty of breaching the Data Protection Act (DPA) in losing a CD with scans of 112 patient records from the Intensive Care Unit of New Cross Hospital's Heart and Lung Unit. The CD was discovered at a bus stop near the hospital and was unencrypted with no password protection. Investigations have failed to establish why or how the data was transferred to the CD, although it was established that there were areas of weakness in the trust's data protection procedures. This included a lack of timeliness in recalling patients' charts that had been released to consultants. The trust has agreed to a formal undertaking to process personal information in line with the DPA. It will also implement a number of security measures to protect personal information more effectively, including ensuring that patient charts released to consultants are signed for on receipt and chased for return after just one week. Mick Gorrill, head of enforcement at the ICO, said: "The fact that this information was several years old is of no consequence – patients' personal data should always be handled in accordance with the Data Protection Act. I am pleased that the trust has agreed to take remedial steps to ensure such an incident does not happen again."