ICO takes Royal Cornwall NHS Trust to task after breach

The Information Commissioner's Office (ICO) has been forced to take action against yet another NHS Trust, this time the Royal Cornwall Hospitals NHS Trust, after two breaches of third-party data.

The first incident occurred in July 2010 after a subject access request by an individual seeking information held on them by the Trust resulted in the release of information of another individual.

A similar slip-up occurred in December, when the same information requester received a second subject access response containing third-party information, according to the ICO.

Sally-anne Poole, acting head of enforcement at the ICO, explained that subject access requests are becoming increasingly popular as patients seek to identify the information held on them by their GP or hospital.

"However, just because staff are busy with requests, does not mean they can stop doing adequate checks before information is sent out," she said.

"I am pleased that Royal Cornwall NHS Hospital Trust has agreed to take the necessary steps to make sure this sort of incident doesn't happen again."

These steps include the Trust's chief executive, Peter Colclough, signing a formal undertaking with the ICO to ensure that the procedure for dealing with such requests is clearly defined and well managed, and that staff are trained accordingly.

The Royal Cornwall Trust is the latest in a long line of NHS organisations to have breached the Data Protection Act owing to poor training, ill-defined policies or blatant disregard of the legislation.

In January it emerged that the NHS Blood and Transplant, which manages the Organ Donation Register, discovered that the donation preferences of over 400,000 people had been incorrectly recorded after a software error.

Royal Wolverhampton Hospitals NHS Trust, Stoke-on-Trent Trust and Basingstoke and North Hampshire NHS Foundation Trust have all been found wanting in the past year.