Medical recruitment firm slammed after losing doctors' data

PERSONAL data on doctors being held by a medical recruitment firm was auctioned on the internet after it was lost after being taken from a Yorkshire office.
By The Newsroom
Published 15th Oct 2010, 10:45 BST
Updated 15th Oct 2010, 10:46 BST

Specialist healthcare recruitment company, Healthcare Locums Plc (HCL), had not even realised a storage device containing sensitive information had gone missing until the online sale was noticed.

The company has now been found to have been in breach of the Data Protection Act (DPA) by the Information Commissioner's Office (ICO), headed by Christopher Graham, after the loss of the data relating to doctors employed by the agency.

Hide Ad
Hide Ad

The ICO was first informed of the breach when HCL confirmed a hard drive containing security clearance and visa information, had been sold on an auction website before being returned.

Enquiries established the equipment was last recorded as being transferred from HCL's Skipton branch to its branch in Loughton earlier this year. But HCL had no inventory list for the transfer, so the organisation failed to realise the storage device had gone missing until it was reported by a member of the public who said he had bought the device on eBay.

The files consisted of documentation relating to doctors' security clearance, public registrations, visa documentation and proof of identity.

The device was eventually returned to the firm and wiped in June 2010.

Hide Ad
Hide Ad

Neither the storage device, nor the personal data contained within it, was encrypted.

Sally Anne-Poole, enforcement manager at the ICO, said: "This breach highlights the importance of making sure personal information is transported in a way that complies with the Data Protection Act. I am pleased that Healthcare Locums is taking remedial steps to make sure incidents like this one do not happen again."

Mo Dedat, chief operating officer of Healthcare Locums Plc, has signed a formal undertaking that says the organisation will now ensure that contracts are put in place between it and any contractors it uses to process personal data on its behalf.

It will also ensure that records and logs of equipment used for personal data are maintained and kept updated in order to ensure any similar incidents could be detected quickly and handled appropriately.

Hide Ad
Hide Ad

The undertaking says "it became apparent that the network storage device had most likely been lost or stolen in transit", as the devices being transferred were stored securely at both the agency's Skipton and Loughton branches.

But no investigation was carried out by HCL into the actions of the company contracted to transport the equipment, it added.

Related topics:Yorkshire