After an investigation by the Information Commissioner's Office (ICO) NHS Tayside has been found to be in breach of the Data Protection Act after confidential patient records were left in the closed Strathmartine Hospital, Dundee.

The health authority was told that it faces prosecution if it fails to comply with the Data Protection Action in the future.
Patients records were found scattered around the disused buildings by a local group who reported the matter to MSP Shona Robison. NHS Tayside gave Ms Robinson repeated assurances that the records had been removed, when in fact, they had not.

A similar discovery of patients' details was made at the former Law Hospital at Carluke, South Lanarkshire.
Ken Macdonald, assistant commissioner for Scotland at the ICO, told the Press and Journal: "The Information Commissioner's Office takes all breaches of data security seriously.

"Clearly health records can contain particularly sensitive information and must be held securely and disposed of appropriately when no longer required."

"It is also a serious concern that both NHS Tayside and NHS Lanarkshire were keeping information for longer than necessary.
He added: "We have ordered both NHS bodies to comply with the Data Protection Act in future or risk further enforcement action by the ICO."

In a statement, the ICO said it has now required both organisations to sign formal undertakings to comply with the principles of the Data Protection Act.

They should also follow the recommendations recently made by NHS Quality Improvement Scotland to prevent similar incidents occurring in the future.

A spokeswoman for NHS Tayside said, "Since the incident at Strathmartine we have reviewed all our medical records and information systems procedures and taken steps to ensure we are in compliance with the Data Protection Act."

http://www.pressandjournal.co.uk/Article.aspx/959674