The Information Commissioner’s Office (ICO) has revealed that NHS Birmingham East and North breached the Data Protection Act by failing to have the security measures in place to restrict access to confidential files on its IT network.

Electronic files containing personal information relating to thousands of individuals, including NHS employees, were at risk of being accessed by some of the Trust’s staff, as well as by staff at two other nearby Trusts.

While health records were not compromised, some files also contained high level information about patients.

NHS Birmingham East and North reported the breach to the ICO in September 2010 after it found that electronic files stored on the shared IT network could have been accessed by employees.

Following an investigation, the ICO found that some security restrictions were in place, and that most files were not easily accessible, but concluded that file security in general was inadequate.

Sally-Anne Poole, acting head of enforcement, said: "It’s vitally important that IT networks storing personal information have robust security measures in place.

"Whilst nobody outside of the Trust environment was able to access the files, problems with the security of the network still led to a situation where sensitive information was potentially available to NHS staff that did not need it to carry out their daily role."

The Trust has since signed an undertaking to ensure that comprehensive policies about the storage and use of personal data are put in place, and that proper technical security measures are implemented to prevent unauthorised access to personal data in the future.