PERFORMANCE: The Information Commissioner’s Office has issued NHS Surrey with a £200,000 penalty after more than 3,000 patient records were found on a second hand computer bought through an online auction site.

The information was inadvertently left on the computer and sold by a data destruction company employed by NHS Surrey since March 2010 to wipe and destroy their old computer equipment.

The company carried out the service for free, with an agreement they could sell any salvageable materials after the hard drives had been securely destroyed.

In May 2012 NHS Surrey was contacted by a member of the public who had recently bought a second-hand computer online. Confidential sensitive personal data and HR records, including patient records relating to around 900 adults and 2000 children, were found on the device.

NHS Surrey managed to reclaim a further 10 computers that previously belonged to it, three of which still contained sensitive personal data.

The ICO’s investigation found that NHS Surrey had no contract in place with the provider and failed to observe and monitor the data destruction process.

NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012.

The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.

ICO head of enforcement Stephen Eckersley said: “The facts of this breach are truly shocking. This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case.”

NHS Surrey was dissolved on 31 March and NHS England will be required to pay the penalty amount by 22 July or appeal by 5pm on 19 July.