Is the Information Commissioner’s Office (ICO) getting tougher or are local authorities getting even worse at data management?
With the latest breach, it seems the later, but don’t believe the ICO is anything but proactive at the moment, as they have issued £640,000 in fines in June alone.
The ICO today fined Belfast Health and Social Care Trust (BHSC) a civil monetary penalty of £225,000 following a serious breach of the Data Protection Act.
Back in April of 2007 six local trusts merged into the BHSC Trust and this merger resulted in the BHSC taking ownership and the responsibility of over 50, largely disused, sites, including Belvoir Park Hospital.
In March 2010 the Trust was informed that there had been trespassers on the site and the intruders had found thousands of sensitive staff and patient records. The intruders took pictures of some of these records and then posted them online.
The Trust subsequently investigated and found the staff and patient records. They did not, however, inspect all the buildings on the site due to them being “locked or inaccessible, due to concerns about asbestos contamination”.
A year later after the story had apparently gone away, local news reported that the site could be accessed without authorization. Upon this revelation the Trust conducted a complete search of the premises, and discovered further records, many of which breached the Trusts Records Retention & Disposal Policy.
The ICO’s Assistant Commissioner for Northern Ireland, Ken Macdonald, said: “The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the Internet.”