The Information Commissioner’s Office says it remains highly concerned that organisations in the NHS are continuing to break data protection rules designed to protect patients’ personal information. A quarter of all breaches reported to the ICO are from the health service.

Mick Gorrill, Head of Enforcement at the ICO was speaking after NHS Stoke-on-Trent and Basingstoke and North Hampshire NHS Foundation Trust were named as the latest bodies to contravene the Data Protection Act. In each case the chief executives have signed formal undertakings to process personal information in line with the legislation.

Mr. Gorrill said: “Everyone makes mistakes, but regrettably there are far too many within the NHS. Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information.”

In the latest breaches 2,000 paper physiotherapy records were not filed in NHS Stoke on Trent’s archive system and may have accidentally been destroyed or misfiled. In the Basingstoke and North Hampshire case a spreadsheet with details of 917 patients’ pathology results, was emailed via an unsecure address to another department. It was not password protected and the receiving department did not need to have access to the excessive amount of clinical records.

Both organisations have agreed to implement security measures to protect personal information more effectively. Mr. Gorrill added: “We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so.”