An NHS trust has been fined £200,000 by the data watchdog after it sold an old computer which contained the personal details of more than 3,000 patients. The sensitive information was left on the computer sold by a data destruction company employed by NHS Surrey. The Information Commissioner’s Office (ICO) was tipped off after a member of the public bought the second-hand computer online.The company had been employed by NHS Surrey since March 2010 to wipe and destroy its old computer equipment. The company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed. The ICO said: “On 29 May 2012 NHS Surrey was contacted by a member of the public who had recently bought a second-hand computer online and found that it contained the details of patients’ treated by NHS Surrey.
“The organisation collected the computer and found confidential sensitive personal data and HR records, including patient records relating to approximately 900 adults and 2000 children.”
The watchdog added: “After being alerted to the problem, NHS Surrey managed to reclaim a further 39 computers sold by the trading arm of their new data destruction provider.
“Ten of these computers were found to have previously belonged to NHS Surrey; three of which still contained sensitive personal data.”