The Information Commissioner’s Office has found a healthcare recruitment agency in breach of the Data Protection Act after it lost doctors’ personal data that ended up being sold online.
Healthcare Locums (HCL) first notified the ICO about the breach when it confirmed that a network storage device containing details about doctors’ security clearance and their visa information had been sold on an auction website. Neither the device nor the data were encrypted.
HCL’s records showed that the hard drive was being transferred from its Skipton branch to its Loughton branch in February 2010 for secure storage prior to decommissioning.
However, the agency did not have an inventory list for the transfer, so did not realise the device was missing until it was reported by a member of the public who had been sold the device on auction website eBay. It was believed that the device was most likely lost or stolen in transit.
The agency wiped the hard drive in June 2010 when it was eventually returned.
The agency’s COO, Mo Dedat, has signed a formal undertaking to ensure that it maintains up-to-date records of the movement of equipment used to process personal data, so that any similar incidents are quickly detected.
HCL will also ensure that it will implement contracts that fully comply with data protection laws with any contractors it uses to process personal data on its behalf.
Earlier this month, ICO launched a consultation on the first-ever code of practice on data sharing.