The Information Commissioner's Office said Liverpool NHS breached the Data Protection Act as it had no formal contract in place with the removal company to handle personal data - a requirement of the Data Protection Act - and had no process in place to ensure personal data was kept secure throughout the move.
In a separate incident the Information Commissioner's Office (ICO) has also found the Council for Healthcare Regulatory Excellence in breach of the Data Protection Act after the possible loss of documents from complaint review files containing personal data - but the organisation cannot be certain if the information was received, lost or destroyed.
Sally Anne Poole, enforcement head at the ICO, said: "These incidents highlight significant weaknesses in both organisations' data handling procedures. These incidents should act as a warning to other organisations who handle sensitive papers of the need to make sure their paper records management processes are as robust as their electronic data systems. The protection of data in all formats must be taken seriously," she said.
Bernie Cuthel, CEO of NHS Liverpool Community Health, has signed a formal undertaking to ensure a written contract will always be in place with any third parties responsible for handling personal data on the organisation's behalf and that clear policies and procedures will be put in place to support staff when moving office.
Harry Cayton, head of the Council for Healthcare Regulatory Excellence (CHRE), has signed a formal undertaking ensuring that all future information containing personal data sent between the data controller and regulators is adequately protected and that the authority's existing pilot system for the logging and filing of documentation is implemented permanently.
Just last week the City of York Council also breached the Data Protection Act after disclosing personal data following a printer mix-up.
This story was first published by Computer Weekly