The issue dates back to July 2015, when Bayswater Medical Centre in London moved out of a former GP surgery but continued to use the premises for storage purposes. A year later, representatives of another GP surgery were allowed to visit the vacant building with a view to taking over the lease.
However, once inside, they found unsecured medical records and other sensitive information and informed Bayswater Medical Centre, but the owners took no action to secure the data, despite repeated warnings by both the other surgery and the local Clinical Commissioning Group.
In February 2017, officers from NHS England visited the site and found a large quantity of highly sensitive information left on desks, in unlocked cabinets and in bins. They ordered Bayswater Medical Centre to remove the information the next day.
An Information Commissioner's Office investigation discoverd that the personal data, which included medical records, prescriptions and patient-identifiable medicine, had been left unsecured in the building for more than 18 months, and slapped the organisation with a £35,000 fine.
ICO head of enforcement Steve Eckersley said: “Bayswater Medical Centre left their patients’ most sensitive data abandoned and with no thought for the distress that this could cause them if it had been lost or misused.
“It is our duty to stand up for people’s data rights and to ensure that their sensitive personal information is protected. Out of sight is definitely not out of mind. We don’t want anyone to think that they can avoid the law or their duties by abandoning personal data in empty buildings.”