Keying numbers into a fax machine leads to privacy breaches

May 19, 2015 |

The health industry maintains an affection, if not fetish, for facsimile machines. In my very recent experience specialists and general practitioners have demonstrated a reliance for fax machines over the electronic mail. This has led to a significant privacy breaches.  The Northumbria Healthcare NHS Foundation Trust has provided an undertaking to the Information Commissioner’s Office that it will improve the way it handles patient’s information.

The facts are set out in the ICO’s media release which provides:

The Information Commissioner’s Office (ICO) has issued Northumbria Healthcare NHS Foundation Trust with an undertaking committing the trust to improving the way it handles patients’ information.

The action comes after the trust mistakenly sent five faxes containing information relating to the care of several patients to a member of the public. The faxes should have been sent to a social care team working at the trust but the wrong number was dialled.

After the first incident occurred in March 2014, the trust took action to make sure its fax machines were only able to send information to pre-programmed numbers belonging to organisations working in the health service. However, these measures were not adopted across all wards and four further faxes were sent to the same member of the public again two months later.

The ICO’s investigation found that the trust failed to inform all wards about the original data breach and the actions that they should take to stop this mistake occurring again. The trust also initially made no effort to recover the documents once they were alerted to the problem.

ICO Head of Enforcement, Stephen Eckersley, said:

“Many people will be surprised that we are still having to warn organisations about their use of fax machines. There are certainly more secure ways to send information, but if an organisation decides that a document must be sent in this way then they should have adequate measures in place to make sure the information is actually sent to the correct person. These measures must be adopted across all areas of the organisation.

“We are pleased that Northumbria Healthcare NHS Foundation Trust are now going to take effective action to make sure that a secure process is in place to keep information sent by fax secure.”

The undertaking commits Northumbria Healthcare NHS Foundation Trust to introducing clear procedures so that any data breaches reported to the trust are acted upon promptly and remedial measures are introduced across the organisation. Fax procedures, including the use of pre-programmed numbers to avoid mistakes, must be adopted across all wards to ensure adequate security standards are maintained across all wards. The trust must make these improvements by 30 October 2015.

As part of the personal data handing processes that will be implemented includes:

  1. Procedures are put in place to ensure any reported breach of security is acted upon promptly and any containment and remedial measures are swiftly enforced. Where necessary staff should receive appropriate additional training by no later than 30 October 2015;
  2. Fax procedures are implemented consistently across all wards and regularly monitored to ensure consistent standards. Compliance with the fax policy and guidance should be monitored on an ongoing basis and appropriate steps taken to ensure any failings are rectified with minimal delay by no later than 30 October 2015;
  3. The process around the use of safe haven fax machines should be clear and unambiguous; Staff should be regularly reminded of requirements of use of safe haven fax machines by no later than 30 October 2015;
  4. The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

One Response to “Keying numbers into a fax machine leads to privacy breaches”

  1. Keying numbers into a fax machine leads to privacy breaches | Australian Law Blogs

    […] Keying numbers into a fax machine leads to privacy breaches […]

Leave a Reply