A pretty appalling story on GDPR-eve.

The best points are:

The other practice appeared to do the right thing.

The ICO picked up the issue and has done the right thing.

Brit doctors surgery fined £35k over medical data fumble

Left patient records, prescriptions in former surgery premises for 18 months

By Paul Kunert 24 May 2018 at 15:14

Bayswater Medical Centre (BMC) in London is licking its wounds after taking a not insignificant punch to the wallet for discarding highly sensitive medical information in an empty building for a year and a half.

The Information Commissioner's Office (ICO) said today the data included medical records, prescriptions and patient identifiable medicine. It was left unsecured when BMC vacated its surgery but used the premises as a storage dump from July 2015.

The following year, reps from another GP practice took over the lease, discovered the unsecured medical records and told the BMC, but the BMC made no effort to scoop up that information, despite repeated warnings from the other surgery and a local Clinical Commissioning Group.

Officers from NHS England paid a visit to the site in February 2017 and found a "large quantity" of the data left on decks, in unlocked cabinets and in bins. The BMC was ordered to send in the cleaners, so to speak.

The severity of this breach "merited" a fine of £80,000, said the ICO, but this was cut to £35,000 after the BMC's ability to cough payment was considered.

"It is our duty to stand up for people's data right[s] and to ensure that their sensitive personal information is protected," said ICO head of enforcement Steve Eckersley.

"Out of sight is definitely not out of mind. We don't want anyone to think that they can avoid the law or their duties by abandoning personal data in empty buildings," he added.

theregister.co.uk/2018/05/2...

[ Added 24/05/2018 20:13 - this is what the BMC says about its own privacy policy. Please note - again - it is now GDPR-eve and despite the site having had some sort of update on 18/05/2018, they nod to the Data Protection Act 1998 and appear not to have heard of GDPR.

I also searched (in vain, of course) for any mention of the fine they have received.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation has a legal duty to keep it confidential.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

baysmed.co.uk/info.aspx?p=9 ]