ICO fines NHS Surrey £200,000 for failure to ensure destruction of old computers.

17 July 2013

Author: Clare Bates
Practice Area: Healthcare
Sector: Healthcare


NHS Surrey was fined £200,000 after sensitive patient data relating to 900 adults and 2000 children was discovered by a member of the public on a second-hand computer.  NHS Surrey had employed a data destruction company to wipe and destroy old computer equipment.  The company agreed to carry out their service for free in return for being able to sell on any salvageable material after hard drives had been successfully destroyed. 

Once NHS Surrey was notified by a member of the public about the issue, they reclaimed 39 computers from their data destruction provider, and three additional computers were discovered to contain sensitive personal information from NHS Surrey.  Many more computer hard drives, potentially containing sensitive patient information, were found to have been sold over the internet. 

When the ICO investigated the matter it was discovered that NHS Surrey had no written agreement with its current data destruction provider which explained the provider’s legal requirements under the Data Protection Act, and the ICO also found that NHS Surrey had failed to observe and monitor the data destruction process.  Due to deficiencies in record keeping it was not possible to trace all of the old computers and the data destruction company was unable to confirm how many computers could potentially have contained sensitive personal data. 

The ICO stated that the very substantial penalty in this case was due to the “disturbing circumstances” concerning sensitive patient information, and warned that organisations should take great care in outsourcing data destruction services.  Where a company is being employed for this kind of service it is advisable to have an agreement which imposes upon the service provider similar obligations to those of the data controller under the Data Protection Act.  The Data Controller should carry out a risk assessment and the service provider should be able to give guarantees as to the security measures to be adopted during processing.  It is also important to monitor and observe the destruction process and to ensure that adequate records are maintained.  The ICO state that the data destruction provider should have been required to provide Destruction Certificates for each individual hard drive, records should have been maintained of the serial numbers of each hard drive and effective audit trails should also have been ensured. 

This case emphasises the importance of ensuring that the destruction of personal data is carefully managed, and this is all the more vital where the data concerned is of a particularly sensitive nature.

For more information contact:

Clare Bates 


+44 (0)28 9034 8868

[email protected]