14 DAY TRIAL // Experts have often highlighted the importance of properly removing sensitive information from a computer before selling it. However, it appears that some organizations still fail to clean up the devices before selling them.
A perfect example was provided last week by the UK’s Information Commissioner’s Office (ICO), which fined NHS Surrey with £200,000 ($300,000 / €230,000) after a computer owned by the company was sold on eBay with over 3,000 patient records on it.
According to the ICO, in March 2010, NHS Surrey employed a company to wipe and destroy their old computers. The company agreed to do the job for free as long as they could sell any salvageable components.
However, in May 2012, a user who purchased a second-hand computer on eBay found that it contained the details of 3,000 NHS Surrey patients.
The organization managed to reclaim 39 additional computers sold by the data destruction company. Ten of them had previously belonged to NHS Surrey, and three of them had been found to contain sensitive information.
The ICO fined NHS Surrey because the organization failed to make a contract with the data destruction company to explain the legal requirements of the Data Protection Act. In addition, the organization failed to observe and monitor the data destruction process.
NHS Surrey was not able to find the records for the computers passed for destruction between March 2010 and February 2011. Between February 2011 and May 2012, 1,570 devices were processed.
However, the data destruction company was not able to trace the sold computers, and it’s uncertain how many of them contained personal data when they were sold.
Since NHS Surrey was dissolved in March 2013, the fine will be paid by the NHS Commissioning Board that took over some of the organization's legal responsibilities.
“The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online,” said Stephen Eckersley, ICO head of enforcement.
“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”