How Oxford Health NHS Foundation Trust found its weakest link

In September 2014 Oxford Health NHS Foundation Trust, (‘the Trust’) was required to give an undertaking following two data breaches, one of which stemmed from errors by a data processor who posted a file of patient data online in the course of migrating a website. The undertaking required the Trust to undertake, amongst other things, better due diligence on data processors, enter into appropriately robust contracts when outsourcing, use Privacy Impact Assessments before starting projects and have appropriate breach management plans in place.

The ICO has now completed a follow up, seeking an assurance that the Trust has appropriately addressed the actions agreed in its undertaking This  incident acts as a reminder that a data controller’s compliance is only as good as that of its weakest link and that that the ICO will keep a close eye on data controllers who have previously been found to have breached the DPA.



Leave a Reply

Your email address will not be published. Required fields are marked *