Records Mis-Management: NHS Contractor Puts Thousands at Risk

In a case of records management gone terribly wrong, more than 700,000 letters to NHS patients were discovered to have been piled up in a warehouse and left or disposed of by the bag-full.

The letters contained clinical correspondence that required re-directing due to patients moving GP surgeries or changing home address. Instead, however, the letters – some of which contained cancer diagnosis, treatment plans, and blood test results – were left unprocessed for up to five years between years 2011 and 2016.

The National Audit Office (NAO) discovered that more than 1,700 patients could have been harmed as a direct result of the shocking oversight; these are patients who might have missed important appointments, treatments, and tests. Additionally, 200,000 records are still to be reviewed by GPs to determine if there was a potential for harm to have happened to the patients involved.

Reports suggest that the issue first surfaced back in 2011, when NHS Shared Business Services (NHS SBS) were tasked to re-deliver a backlog of clinical records, around 8,000 pieces, but were soon overwhelmed when, by 2014, this number had reached 205,000. In June of the same year, a review conducted by NHS SBS put this figure at over 300,000 and highlighted the clinical risk to patients who were not receiving their medical letters. No action was taken by senior management to rectify the problem at this time.

By August 2014 bosses were warned that the letters were being destroyed, but it wasn’t until December 2015 that staff began to properly investigate what the letters contained and discovered the clinically urgent subject matter enclosed within so many.

After a thorough investigation into NHS SBS, the NAO found the following data-handling errors:

  • NHS SBS had become aware of a risk to patients in January 2014, but senior managers did not develop a plan to deal with it or tell the government or NHS England for another two years
  • A label with “clinical notes” written on it had been removed from the room where the files were stored.
  • In August 2015, a member of staff raised concerns the records were being destroyed but nothing was done.
  • NHS SBS finally told NHS England and Department of Health of the problem in March 2016, but neither Parliament nor the public were told.
  • The episode suggested there had been a conflict of interest between the health secretary’s responsibility for the health service and his department’s position as a shareholder in NHS SBS.
  • NHS England said the company had been “obstructive and unhelpful” when it had tried to investigate issue.

As the investigation continues, organisations are left wondering whether they have provided adequate data handling and records management training to their own staff. With good records management training, employees will learn how to comply with the law when it comes to handling and storing data and, in doing so, mitigate the risk of data breaches and reputational damage to their company. VinciWorks offer both UK-based and global records management eLearning courses, alongside a bundle of online data protection training specially designed to build confidence and develop data-handling skills.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.