Most of the records would have been several years old, but the Trust are unsure how many of them contained personal information.
They were stored in a disposal room, rather than a “dedicated storage space” as they should have been and this led to them being removed.
They were then destroyed sometime between the 28th and 31st of December 2010, but the hospital didn’t notice they were missing until three months later.
Whilst some of the records would have contained personal information relating to patient’s treatment, this is thought to be limited.
However, they did contain details of names and addresses of both patients and staff.
“The Trust has confirmed that the loss of these records does not pose a clinical risk to data subjects affected by this incident,” the report read.
The Trust have now been ordered by the ICO to take action to make sure that staff are trained in data protection policies and procedures and follow them in the correct way.
Acting Head of Enforcement, Sally Anne Poole, said: “Although the majority of information lost was several years old and only being kept for archiving purposes, there is no excuse for failing to keep it secure.”
“The hospital should have ensured that the records were kept in a safe area – and, had they had adequate audit trails in place, they would have been able to keep track of where this information was at all times.”
In a speech given two days ago at the Healthcare, Technology and Innovation exhibition in London, the ICO’s Head of Strategic Liason, Jonathan Bamford, stressed that the health sector “needs to do more to protect sensitive patient data.”
Poole NHS Trust were also recently ordered to take action following the theft of two diaries which contained information on 240 midwifery patients.