ICO slams 'free' IT disposal services after NHS blunder
Data watchdog urges end users to shun free providers as it fines NHS Surrey over 'shocking' patient records breach
The Information Commissioner's Office (ICO) has sounded a warning over "free" IT disposal services after handing out a £200,000 fine to an NHS trust that presided over "one of the most serious breaches it has witnessed".
The issue of so-called free IT asset disposal (ITAD) services reared its head earlier this year after some of the industry's established players slammed an MP for promoting a firm offering this model in his local constituency.
They claimed any ITAD operating a free or "we-pay-you" model cannot cover the costs required to dispose of equipment securely.
The ICO today lent its voice to the cause as it announced it had fined NHS Surrey £200,000 after more than 3,000 patient records were found on a second-hand PC bought through an online auction site.
The PCs were sold by a data destruction company NHS Surrey had employed since March 2010. It had agreed to carry out the services free of charge before selling on any salvageable materials after the hard drives had been securely destroyed.
Stephen Eckersley, ICO head of enforcement, blasted NHS Surrey's decision to leave an approved provider and hand over thousands of patient details to a company without checking the information had been securely deleted.
"This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case," he said.
"We should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free."
NHS Surrey was first alerted to its blunder in May 2012 when it was contacted by a member of the public who had recently bought a second-hand PC online and found it contained details of patients treated by the trust. This included records relating to about 900 adults and 2,000 children.
NHS Surrey was able to reclaim a further 39 PCs sold by the trading arm of its ITAD, 10 of which previously belonged to the trust and three of which still contained sensitive personal data.
"The facts of this breach are truly shocking," said Eckersley.
Steve Mellings, chief operating officer at ADISA - an industry body representing about 30 ITADs - said the case highlights that end users must think about services quality as well as price when disposing of dusty old kit.
"There is no such thing as free," he said. "There's always a cost and in this case, it is £200,000."