PERFORMANCE: NHS Bournemouth and Poole has been found guilty of breaching the Data Protection Act for passing patient information to a company it had commissioned to carry out NHS health checks.

A report to September’s board said a patient had complained to the Information Commissioners Office after being contacted by Enhanced Healthcare Services and invited for a health check. The primary care trust had passed on contact details to the company after awarding a contract to carry out the health checks but thought they had followed data protection guidelines.

The ICO upheld the complaint on the grounds that the patient’s details were passed to a third party without his consent.

The report said: “Fortunately, on this occasion, the ICO has decided not to take any regulatory action against the organisation, largely due to the Information Governance processes that the PCT can demonstrate are in place, and also because the PCT has agreed to write to all of the patients who were contacted by EHS.

“However, if the PCT is found to breach the DPA on a future occasion, it is highly likely that the organisation will receive a monetary penalty.”