NHS managers make data safety pledge after leak

Dec 12 2007 by David Bartlett, Liverpool Daily Post

Sefton PCT

MANAGERS at the NHS last night said they had already taken steps to make sure that the personal details of nearly 2,000 staff could never be leaked again.

The announcement came after Unite union revealed Sefton Primary Care Trust had sent the names, salary, National Insurance and pension numbers of 1,800 workers to four organisations bidding for a contract.

Managers at the PCT admitted the security blunder and apologised for the mistake.

The PCT said the details were sent out accidentally and the three companies and a not-for-profit organisation had destroyed the data straight away.

But Unite branded the error a disgrace and urged members to examine bank accounts and change passwords, fearing the sensitive data could have got into the wrong hands.

An investigation into the data breach was launched after the discovery in November.

Chief executive Dr Leigh Griffin said: “I am treating this incident extremely seriously and I am confident that we have acted swiftly to protect our staff.

“We have had assurances from all the organisations who were wrongly sent the information that it was promptly destroyed.

“It is important to note that the details did not include any bank information or addresses, minimising risk to our staff.”

“This information was sent to the organisations in November when they were bidding for services as part of a tendering process.

“It gave names, salary, National Insurance and pension numbers.

“As soon as I became aware of this, I launched an investigation to make sure this does not happen again and wrote to all 1,800 staff to apologise for this accidental release of data, to notify them of the investigation and to give them assurances.”

Kevin Coyne, Unite national officer for health, said: “It is disgraceful that an organisation trusted to protect the highly personal and sensitive medical details of thousands of patients can expose their staff in such a dangerous way and then deny them the information of where the information has been illegally sent.

“This is a clear breach of the data protection law and if it was an accident, an inquiry must be launched into how and why such sensitive information was passed on to so many external organisations.”

“Our members are rightfully very concerned and deserve reassurance.

“To add insult to injury, the trust will not tell staff the names of the organisations which have their information owing to the confidential nature of their tendering process.”

davidbartlett