The ICO has hit NHS Surrey with a £200,000 ($300,000) fine after a “shocking” lapse allowed a member of the public to buy a hard drive containing the records of 3,000 patients that had supposedly been sent for secure destruction.

The issue came to light when the individual contacted the former NHS Trust in May 2012 after using recovery software to reveal the records of 2,000 children and 900 adults on a second-hand drive inside a PC reportedly bought on eBay.

This turned out to be part of a larger consignment of PCs handed over to a third-party company on the proviso that the hard drives and their data were destroyed. Ten further drives inside PCs that had belonged to NHS Surrey were discovered to have been sold on in this way despite certificates showing their claimed disposal; a further three contained confidential data.

The ICO's published rebuke reveals a catalogue of failures, starting with poor oversight of the company asked to dispose of the drives. Assurances that the drives would be physically destroyed were taken at face value as were the subsequent destruction certificates.

No members of the IT team observed the destruction or took time to carry out a risk assessment of the firm's processes or reliability. More surprising, the contractor was engaged to carry out disposal despite NHS Surrey already using a separate supplier for the same task.

The ICO's judgement does not speculate on the reasons behind NHS Surrey's decision to use a new and unproven firm for disposal; the contractor did not charge NHS Surrey for the service on the basis that the PCs were supplied free of charge, the ICO noted.

Uncomfortably, between February 2011 and May 2012, the contractor picked up 1,570 PCs containing hard drives marked for disposal, the fate of some of which was now open to doubt, the ICO said.

“The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted,” said the ICO's head of enforcement,  Stephen Eckersley,

“The result was that patients’ information was effectively being sold online. This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case,” he said.

“We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

The theme of storage media turning up in the public domain containing private data is far from new. In 2012 the ICO published the results of its own survey that found that one in ten hard second-hand drives turned out to contain personal data.