NHS Trust threw away CD containing details of 1.6 million patients

An NHS trust in Kent threw away a CD containing details on 1.6 million patients, including addresses, dates of birth and NHS numbers, after it was left in a filing cabinet sent to a landfill site during an office move.

The Eastern and Coastal Kent Primary Care Trust has signed an undertaking with the Information Commissioner's Office (ICO) to put the necessary measures in place to stop such an incident occurring again.

The undertaking includes improved training for staff to make them aware of issues relating to data retention and storage, and new policies for staff to follow when moving offices.

An ICO spokesperson said the watchdog is satisfied that no data had been compromised, but that the case should serve as a warning for those handling sensitive data.

"While there is no evidence to suggest any of the data was accessed, this case highlights that clear policies and procedures should be put in place to support staff when handling personal information as part of an office move," the spokesperson said.

The incident is the latest in a long line of security blunders by the NHS. In the most recent incident, records on eight million patients went missing when a laptop was stolen from a trust in north London.

The ICO has frequently criticised the NHS for its lax data handling but has decided yet again not to issue a fine, despite having had the power to do so since April 2010.

Chris McIntosh, chief executive at data security firm ViaSat UK, said that the case is a serious cause for concern and questioned the ICO decision not to issue a fine.

"To lose 1.6 million patients' details strays beyond carelessness and firmly into negligence. The stark fact is that the personal details of over 2.5 per cent of the UK's population have been lost and could possibly end up used for identity theft," he said.

"In this case the ICO has decided that a civil penalty should not apply, even though it has singled out the NHS as treading on thin ice with data breaches."

Information commissioner Christopher Graham said on Tuesday that the government should allow magistrates to jail individuals in breach of section 55 of the Data Protection Act to clamp down on growing abuses of data.