Health bosses ignored repeated warnings to remove confidential patient records from a disused hospital, an official report has found.

NHS Tayside only removed the records from the Strathmartine Hospital on the outskirts of Dundee after media reports emerged about the abandoned data.

Scotland health secretary Nicola Sturgeon said the rules need to be tightened to ensure security of all health data.

"Despite three opportunities to address this issue NHS Tayside did not follow through on the information they were provided with," a report by NHS Quality Improvement Scotland found.

"It was not until the situation broke in the media that the NHS board took effective action.

"The expert group considers this to be a further illustration of the lack of effective project management of the closure of this site."

Health chiefs were first alerted to records, including health and staff payroll data, lying in a disused ward at the site after a break-in in April 2005. These were later removed to a secure area.

Copyright © PA Business 2008

The case highlights the importance of ensuring secure storage of all personal data at all times. Whilst organisations are investing heavily in increased security of electronic systems, it is vital that they do not lose sight of the need to ensure the physical safety of hard copy data.

The seventh principle of the Data protection Act 1998 requires all those who handle personal data to ensure that appropriate measures shall be taken against unauthorised or unlawful disclosure of personal data and against accidental loss or damage. This goes much further than ensuring that documents are placed in a safe place and requires organisations, amongst other things, to ensure the reliability of their employees and contractors who may deal with personal data on their behalf.

The principle applies equally to all personal data, in whatever format, and the penalties for a breach can be costly.