Belfast Health and Social Care (BHSC) Trust has been served with a Civil Monetary Penalty (CMP) of £225,000.
The Information Commissioner’s Office (ICO) said that the penalty follows a serious breach of the Data Protection Act (DPA).
The breach involved the sensitive personal data of thousands of patients and staff, and included medical records, X-rays, scans and lab results, and staff records including unopened payslips following a merger in April 2007 of six local Trusts into the BHSC Trust.
The merger resulted in the Trust taking on the management of more than 50 largely disused sites, including Belvoir Park Hospital.
In March 2010 the Trust was informed that trespassers had gained access to the Belvoir Park site and taken photos of a number of patient records before posting them online.
While the Trust took action to improve the security of the site, including repairing damaged doors and windows, in April 2011 the Irish News reported that it was still possible to access the site without authorisation.
ICO’s Assistant Commissioner for Northern Ireland, Ken Macdonald, said: “The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the internet.”
The Trust has now removed patient records from the site and examined them and either retained or securely disposed of them as required. A decommissioning policy has also been implemented by the Trust to ensure that personal information is securely destroyed once it is no longer needed.
