The Information Commissioner’s Office (ICO) have said that a health board in Wales have become the first NHS organisation to be find following a “serious breach” of the Date Protection Act.
The privacy watchdog, confirmed that the health board have been issued with a penalty fine of £70,000 following a sensitive report which contained details relating to a patient’s health being sent to the wrong person.
An ICO investigation found that the error occurred after a consultant emailed a letter to a secretary to be formatted, but did not include enough information for the secretary to identify the correct patient; whilst the misspelling of the patients name led to the report being sent to a former patient with a similar name.
The ICO investigation also revealed that neither member of staff involved had received data protection training, and that the organisation involved did not have “adequate checks” in place to ensure personal information was sent to the correct person.
ICO’s head of enforcement, Stephen Eckersley stressed following the investigation that it was vital NHS organisations had adequate date protection practices in place to prevent such occurrences.
He added: “The health service holds some of the most sensitive information available. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.”
Following the investigation, a spokesperson for the ICO said that it was pleased the health board involved were “committed to taking action” to address the problems highlighted.