Scottish Health Board Ordered to Improve
Burnetts' information law solicitor Natalie Ruane examines a case concerning Grampian Health Board and the Information Commissioner's Office.
Grampian Health Board (NHS Grampian) has been ordered by the Information Commissioner’s Office to take action to make sure patients’ information is better protected.
The warning came after six data breaches within a thirteen month period where papers containing sensitive personal data were left in public areas of the hospital. In one case, information relating to patients was found at a local supermarket.
Upon investigation, the ICO found that NHS Grampian did not have an information register identifying the personal information held and the department responsible for looking after it. They considered that this gap in their procedures resulted in the organisation failing to take sufficient remedial action. This meant that the same mistakes continued to occur. The ICO had previously alerted NHS Grampian to this failing in December 2011 during an audit but the organisation had failed to take remedial steps.
Failure to comply with an Enforcement Notice issued by the ICO is a criminal offence. If any further breaches occur, NHS Grampian could find itself being fined up to £500,000. The Enforcement Notice requires NHS Grampian to produce a high level information asset register by 22 June 2015. The register must explain which areas of the organisation are responsible for keeping the personal information they handle and how they will keep it secure.
About the author
Natalie leads the Employment Law & HR team and specialises in education.
Published: Tuesday 9th December 2014
Categorised: Information Law