My father went to the doctors recently. He needed to have a blood test and the doctor gave him his blood test forms to book the appointment with. The doctor checked that the top form (of those stapled together) had his name and address on it. When we got home, I got the forms out the make the appointment. There were three sheets of paper stapled together, the top two referred to my dad but the third belonged to another patient.

I rang the surgery and explained that he had the name, address, phone number, date of birth, NHS number etc of another patient. The receptionist said that she didn’t know what to do and would need to speak with someone else. When she came back on the line, she asked me to destroy the paperwork, I was a bit naughty and said I would put it in the bin. She said that was fine!

Ok, so what went wrong?

They stapled two of my dad’s forms and someone else’s together – perhaps they should have asked the doctor to check the name and address on each of the forms instead of just the top one.

The receptionist didn’t know how to respond to the query – training is key for people to understand what they need to be doing but the receptionist did know who to ask for advice.

Did they add this data breach to their internal incident register?

Telling me to put it in the rubbish is not good enough, it should have been shredded.

This is all very straightforward things to do to stop a recurrence, but will any of it be put into place?

What simple things can you do in your business to ensure the security of personal information?