Data Breaches

For the period 01/04/2015 to 22/03/2016: 

  1. The total number of times there has been a breach of the Data Protection Act including data loss in the period. 17 breaches of the Data Protection Act, and no data loss reported.
  2. Please also provide details of each breach of the Data Protection Act, for example the type of Data that was involved and the number of people affected.
  3. Details of action taken, including whether each breach was reported to the Information Commissioner’s Office and any disciplinary proceedings taken against employees.

Please find below a table outlining the type of Data Protection Act breach, number of people affected, action taken:

 

Type of Breach Number of People Affected Action Taken
Confidentiality – patient in receipt of another patient letter/kit 2 Reported in line with Trust Policy
Data Quality – patient demographic details incorrectly registered. 1 Reported in line with Trust Policy
Data Quality – patient ID band DQ error 1 Reported in line with Trust Policy
Data Quality – patient ID band DQ error 1 Reported in line with Trust Policy
Confidentiality – patient confidential information print out not secured appropriately. <5 Reported in line with Trust Policy
Confidentiality – patient confidential information disclosed in error to another patient 2 Reported in line with Trust Policy.

ICO formal complaint – upheld.

Data Quality – patient ID band DQ error 1 Reported in line with Trust Policy
Data Quality – patient ID band DQ error 1 Reported in line with Trust Policy
Confidentiality – insecure transfer of documentation 3 Reported in line with Trust Policy
Confidentiality – telephone miscommunication 1 Reported in line with Trust Policy
Data Quality – incorrect NHS number used 1 Reported in line with Trust Policy
Data Quality – patient name incorrectly registered 1 Reported in line with Trust Policy
Confidentiality – patient in receipt of another patient letter 2 Reported in line with Trust Policy
Data Quality – patient ID band DQ error 1 Reported in line with Trust Policy
Confidentiality – patient in receipt of another patient letter 2 Reported in line with Trust Policy
Confidentiality – insecure transfer <14 Reported in line with Trust Policy
Confidentiality – patient in receipt of another patient letter 2 Reported in line with Trust Policy

 

There were no disciplinary proceedings taken against employees.

 

The ICO contacted the Trust on 2 separate occasions with concerns raised by patients as follows:

 

One of the concerns was in relation to Principle 1 – personal data must be processed fairly and lawfully, Principle 4 – personal data must be accurate and up-to-date and Principle 6 – personal data must be processed in accordance with the rights of the data subject.  The ICO considered the Trust to have complied with Principle 1 and Principle 4 and unlikely to have complied with Principle 6 in the processing of a Subject Access Request and recommendations were made by the ICO for improvement of process.

 

The second concern was in the relation to Principle 6 and the timeliness in responding to a Subject Access Request.

©2017 Royal Surrey County Hospital

Log in with your credentials

or    

Forgot your details?