This site is intended for health professionals only

GPs warned over fines for data protection breaches

By Laura Passi

Legal experts have reminded GP practices they must take steps to ensure patient information is secure, following the first fines by the Information Commissioner under new data protection legislation.

Two organisations were found to have breached the Data Protection Act and were given fines by the Commissioner using new powers gained in April.

Hertfordshire County Council was fined £100,000 for faxing sensitive information regarding a child abuse case to the wrong recipients, and an employment agency £60,000 for losing an unencrypted laptop containing personal information about 24,000 people.

The organisations involved were unrelated to the NHS, but the Medical Defence Union warned of the risk to GPs: ‘Any organisation which handles highly sensitive patient information, particularly when held electronically, may be vulnerable to such losses.'

‘For example, in September this year East and North Hertfordshire NHS Trust was found to have breached the Data Protection Act 1998 after a junior doctor mislaid an unencrypted USB stick which held details of patient's conditions and medications.'

Dr Beverley Ward, a medico-legal adviser at the MDU, said: ‘The Commissioner expects data controllers, such as GPs, to take reasonable steps to prevent such breaches of the Act, such as carrying out a risk assessment or having a policy in place to encrypt all portable devices including laptops.'

Data protection In-depth

Read the latest advice on data protection legislation here