Fines are being issued by the Information Commissioner’s Office (ICO), after it found the NHS-regulated Healthcare Locums agency to have been in breach of the rules of the Data Protection Act (DPA), with regards to data loss prevention and information security.
The agency in question was responsible for large amounts of data relating to doctors working for the NHS and the ICO implemented fines after a data loss incident exposed details on certain medical practitioners.
The ICO was alerted to malpractice within the agency when an online auction site was used to sell a hard drive, which was packed with data relating to doctors’ visas and security information.
Although Healthcare Locums reported the incident and notified the ICO, it could not explain to the regulator how such a serious breach of data handling practices was possible. Further investigations revealed that the storage device had been either lost or stolen during transit from Skipton to Loughton.
The ICO identified that the agency had failed to record the reason for the transfer or the specific data that was held on the hard drive, which subsequently went missing. The only reason that it was able to detect that the data loss had occurred at all, was because a private citizen alerted them to the sale.
The ICO’s Sally Anne-Poole, said that this latest data loss from within an organisation linked with the NHS, identified the significance of compliance with the rules of the DPA, in relation to the proper transportation of private details.
She went on to explain that the recruitment agency had since made sure that its policies on data handling and transport were improved, so that further breaches of the DPA would not occur.
Healcare Locums’ Mo Dedat, committed to ensuring that future incidents of data loss are not possible within the firm. This includes not only losses resulting from actions of direct employees of the agency, but also any third party firms which it uses in the process of managing, storing and transporting data.