The highest ever fine issued by the Information Commissioner's Officer (ICO) in respect of a Data Protection Act (DPA) breach has been levied - £325,000. The unlucky recipient is Brighton and Sussex University Hospitals NHS Trust.
Highly sensitive personal data belonging to tens of thousands of patients and staff were found on hard drives sold on an internet auction site, accordingly to the ICO press release. The data included sensitive personal information relating to patients medical conditions, treatment, circumstances and childrens' reports. Data also included staff details including National Insurance numbers, home addresses and information relating to criminal convictions and suspected offences
1,000 hard drives were held securely in a room accessed by a key code at Brighton General Hospital. The problem arose from a contract to destroy those hard drives. The Trust has apparently been unable to explain, according to the ICO, how the individual contractor removed 252 of the 1,000 hard drives from site when they were supposed to be destroyed on site. The ICO's deputy commissioner and director of data protection David Smith is quoted as saying "The amount of the (penalty) issued in the case reflects the gravity and scale of the data breach. It sets an example for all organisations - both public and private - of the importance of keeping personal information secure½ Patients of the NHS in particular rely on the service to keep their sensitive personal details secure".
The latest fine follows quickly on a fine of £90,000 served on the Central London Community Health Care NHS Trust for a serious breach of the DPA when sensitive personal data was faxed to an incorrect and unidentified number. The breach was repeated on 45 occasions and compromised 59 data subjects personal data.
Workers in the health care industry are aware of the critical issues concerning sensitive personal data and it is imperative that systems and procedures are in place to militate against inadvertent breaches of the DPA which can have serious consequences.
For Data Controllers in the health care (and other industries) who are considering a notification to the ICO on a security breach there is a standard form for self reporting. Guidance on notification of data security breaches is available on the ICO website. The issue of lost sensitive personal data is particularly critical.
For further information regarding confidentiality breaches or any other commercial litigation matter, please contact Holly Dobson on 0114 266 6660 or email [email protected].
