ICO ISSUES HIGHEST FINE YET FOR DATA BREACH

Overview
The Information Commissioner (ICO) has fined Brighton and Sussex University Hospitals NHS trust ("the Trust") a whopping £325,000 after committing a serious breach of the Data Protection Act 1988 ("DPA"). This is the highest data breach fine issued by the information watchdog since it was granted power to do so in April 2010, and far exceeds its previous record of a £140,000 fine to Midlothian Council in January of this year.

The ICO issued the fine after the Trust failed to ensure that hard-drives containing highly sensitive data of thousands of patients were wiped, after the task to destroy the information on around 1,000 of their hard-drives was sub-contracted to an unnamed individual who came on site to do so. The sub-contractor did not wipe the hard-drives, was able to remove 252 of them from the room where he was supervised – which was also accessed by key code - and 232 were subsequently sold on eBay in October and November 2010.

The data sold included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The ICO viewed this as a serious breach of patient confidentiality and said the monetary penalty issued was justified as the Trust was unable to explain how the contractor concerned was able to remove the hard-drives, containing the patient information to be destroyed, from the hospital when he was supervised and did not know the code for the door.

However, the Trust has disputed the ICO's decision and plans to raise an appeal since it was able to recover all the hard-drives concerned and no information got into the public domain, as well as contending that it cannot afford the fine. The Trust has also committed to providing a secure central store for hard-drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access.

The Law
Under the DPA, organisations must take "appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Organisations are also required to take extra care with sensitive personal data, such as patient medical records.

In the event of a breach of such duties, the ICO has recently issued guidance on the procedures it follows when determining monetary penalties. The guidance states that the watchdog will only impose a monetary penalty if it is "appropriate" to do so and at a level that is "reasonable and proportionate, given the particular facts of the case and the underlying objective in imposing the penalty".

The ICO is also obliged to write a notice of intent specifying the amount it proposes to fine for serious breaches of the DPA and the reasons why. The ability to pay is one of several factors the ICO will consider when evaluating the level of penalty that an organisation should have to pay for its breach. At present, the ICO has the power to issue penalties of up to £500,000 for serious data breaches.

Comment
The amount fined in this case makes a clear example of the firm approach the ICO will take in cases where there are data breaches of personal information.

Do not fall foul of the DPA rules and ensure your organisation has in place an appropriate audit and security process in order to tackle potential data breaches, failing which your organisation could be subject to severe financial penalties.

If you require further advice on this matter please contact David Flint or Valerie Surgenor on 0141 303 1100.

© MacRoberts 2012

To register for MacRoberts e-updates on a variety of legal topics, please click here.