The Information Commissioner’s Office (ICO) has found Royal Wolverhampton Hospitals NHS Trust in breach of the Data Protection Act (DPA), after the loss of over 100 patient records.

The ICO was alerted to the loss of a CD which contained scans of 112 patient records from the intensive care unit of New Cross Hospital’s Heart and Lung Unit. The CD was discovered at a bus stop near the hospital and was unencrypted with no password protection.

Mick Gorrill, head of enforcement at the ICO said, “The fact that this information was several years old is of no consequence – patients’ personal data should always be handled in accordance with the Data Protection Act. I am pleased that the Trust has agreed to take remedial steps to ensure such an incident does not happen again.”

Investigations by the Trust and the ICO were unable to ascertain exactly why or how the CD was ever made, although it was established that there were areas of weakness in the Trust’s data protection procedures. This included a lack of timeliness in recalling patients’ charts that had been released to consultants.

The Trust has agreed to sign a formal undertaking outlining that it will now process personal information in line with the DPA. The Trust will implement a number of security measures to protect personal information more effectively.

These include ensuring that patient charts released to consultants are signed for on receipt and chased for return after just one week. Compliance with the Trust’s policies on data protection and records management will also be regularly monitored.