• Who we are
• What we do
• Committees and papers
• Our public events
• Requesting information
  • About Freedom of information
  • Request information
  • Our publication scheme
  • FOI disclosure log
    • Information released under FOI in 2013
    • Information released under FOI in 2012
    • Information released under FOI in 2011
    • Information released under FOI in 2010
• How we work with others

09 August 2012

Summary of request

The Authority was asked to provide information regrading incidents where the Data Protection Act has been breached by HFEA employees between 1 July 2009 and 1 July 2012.

HFEA response

The HFEA takes its duty of care to the data it holds very seriously and is committed to publishing any loss of data in its annual report. In the period 1 July 2009 to 1 July 2012 there have been no events which have resulted in the loss of data. There have been two instances which the HFEA considers to amount to a breach of the DPA in that period. They are detailed below in the format requested:

1. Organisation
2. Description
3. Data affected
4. Disciplinary action taken
5. Action taken including notification to ICO

 

1. HFEA
2. The HFEA considers this to be a breach since although the members of the Committee are allowed to see patient names, we normally do not allow unredacted material to be accessed on systems other than the HFEA's. Incident reports sent to the HFEA Licence Committee members with certain patient names unredacted. This information was sent to a small number of non-HFEA email accounts.
3. Unredacted patient names.
4. None.
5. • All Licence Committee members contacted to ensure the complete deletion and destruction of the documents.
   • All Authority members given secure HFEA email accounts and trained on their use.
   • All Authority members given Information Security training.
   • The whole redaction process was reviewed. The incident was raised in an All-Staff meeting and the ways to learn from the situation discussed.

 

1. HFEA
2. The HFEA considers this to be a breach because although the contractors staff were authorised personnel, the proper procedures for ensuring the boxes were sealed were not followed. Transferal of boxes of donor records outside of the HFEA (by a contractor) without being properly sealed.
3. Donor records. 4 archive boxes.
4. None.
5. • The entire contractor's staff had already signed confidentiality contracts.
   • The HFEA no longer stores information information in external archives.
   • All staff reminded to ensure their completeness and accuracy when dealing with couriers.

 

In addition an incident occurred in October 2010 where a document containing patient identifying information was thought to be lost and so this incident was reported to the Information Commissioner. The document was later found within the office during the search and so was not considered to be a breach of the Act. Subsequent remedial procedures were put in place to ensure this incident could not be repeated.

Page last updated: 27 August 2013

• Send to a friend