A substantial minority of NHS trusts are flouting ICO [Information Commissioner's Office] guidelines on IT asset disposal, despite the recent record fines imposed by the data watchdog in this area.
However, a Freedom of Information (FoI) request suggests a significant minority of NHS trusts are not complying with ICO guidelines designed to prevent IT disposal-related breaches occurring.
Of the 151 NHS trusts that responded, 25 per cent lacked a policy for IT asset disposal, while 27 per cent did not have a contract with their IT asset disposal partner. Some 37 per cent hadn't audited their partner.
These are all requirements laid out in the ICO's guidelines on IT asset disposal.
Steve Mellings, founder of industry standard ADISA, which carried out the FoI request, said the results showed that the NHS was failing to learn from its mistakes.
"Two of the largest fines from the ICO have been levied against NHS trusts as a result of data breaches from asset disposal. The ICO has fired two clear messages to this sector to get its house in order," Mellings exclusively told CRN.
"[ADISA] helped write these guidelines and they're the very minimum companies should be doing. So to find that NHS trusts are not complying is disappointing. Although about 70 per cent are actively complying, out of the remaining 30 per cent there will be another breach and there will be regulatory action from the ICO."
In June 2012, the ICO dished out a record £325,000 fine to Brighton and Sussex University Hospitals NHS Trust following a data breach that saw unscrubbed hard drives containing sensitive personal data sold on eBay.
A year later, it slapped NHS Surrey with a £200,000 fine after more than 3,000 patient records were found on a second-hand PC bought through an online auction site.
In both scenarios, the trust's lack of oversight over the third parties they tasked with disposing of their kit was to blame, Mellings said.
ADISA's FoI request did suggest that cognisance of the issue is rising, with 96 per cent of trusts saying they were at least aware of the ICO guidelines. Meanwhile, 95 per cent said their trust now employs an individual with responsibility for IT asset disposal.
"There is awareness, but they're just not executing on it properly," said Mellings, who is running a webinar on 29 May designed to help NHS trusts get up to speed on the issue.
Telco also announced series of initiatives to drive digital growth in the UK
Nana Baffour opens up on Getronics' mammoth acquisition of Pomeroy
Analyst predicts SaaS will remain the dominant segment in the market as it grows 17 per cent in 2019
NSS Labs claims vendors are refusing to have their products tested effectively and are trying to restrict its access