FOI Request Discovers NHS Trusts Ignoring IT Disposal Guidelines

Mar 14, 2014

A Freedom of Information (FOI) request has revealed that a small number of NHS Trusts are disregarding IT asset disposal guidelines laid out by the Information Commissioner’s Office (ICO).

The news comes despite a number of fines issued by the data watchdog in this area, including Brighton and Sussex University Hospitals receiving a penalty in 2012 after IT equipment with patient data on it showed up on online auction sites.

Despite this, it seems a number of Trusts still do not comply with ICO safety guidelines and lack measures to prevent IT disposal-related security breaches occurring.  

The FOI request received responses from 151 NHS bodies and of these, 25% lack a policy for IT asset disposal. Besides this, 27% did not have a contract with a disposal partner and 37% said partners had not been audited.

However, all of the above are breaching ICO requirements.

The FOI was asked for by Steve Mellings who founded the ADISA IT disposal standard. He says that his findings indicate the NHS is failing to learn from previous mistakes.

“Two of the largest fines from the ICO have been levied against NHS trusts as a result of data breaches from asset disposal,” said Mellings, speaking to a UK channel publication.

“The ICO has fired two clear messages to this sector to get its house in order,” he added.

Mellings went on to say that ADISA help the ICO write up the guidelines as the very minimum for companies to work towards. He called it “disappointing” that the NHS was not fully complying.




Understanding the risks and rewards of public sector cloud 

Download the Whitepaper now




Sign up to receive latest news