The Information Commissioners Office recently rapped a Health Trust over the knuckles for the way in which it handled sensitive patient information. The Trust in question sent five faxes detailing patient care to a member of the public after a member of staff dialled the wrong fax number. On becoming aware of the issue after the first incident, the Trust changed its internal procedures. All should have been well but for one fact. These changes were not adopted throughout the organisation. Also, the Trust had initially failed to recover the sensitive documents from the member of the public after it had been alerted to the error.
The ICO issued the Trust with an undertaking requiring it to commit to improving the way it handles sensitive patient information.
In commenting on the case the ICO pointed out that there were more secure ways to send personal information, but that if faxes did have to be used then procedures were needed to ensure the fax went to the correct person. In light of this decision, businesses using fax machines to send personal information may wish not only to review their procedures but also ensure that any changes to procedure are applied consistently throughout the organisation.