So it seems the Information Commissioner is finally flexing his muscles. On the 1 June Brighton and Sussex University Hospitals NHS Trust were fined a huge £325,000 for a serious breach of the Data Protection Act.
The fine was issued as tens of thousands of patient records were discovered on the hard drives sold on an internet auction site. Sensitive information of staff and patients included home addresses, national insurance numbers and medical records.
The breach occurred when an employee of the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked with destroying around 1,000 hard drives in September and October of 2010. In December a data recovery centre bought four drives from an internet auction site and discovered the sensitive data. Initially this was thought to be the end of the matter; however in April 2011 a university student purchased a drive off the internet which was then found to contain data belonging to the Trust. It is thought that up to a quarter of the 1,000 hard drives had been taken from the facility.
The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:
“The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”
The ICO’s website informs us that “The Trust has now committed to providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access.”
Yesterday the Information Commissioner’s Office (ICO) also fined Telford & Wrekcin Council £90,000 after they breached the DPA in two separate instances. On both occasions sensitive information regarding vulnerable children was sent to the wrong recipient. In both cases there was a lack of proper processes in place to ensure the correct storage and transfer of sensitive data.
In these difficult economic times where budgets are already strained, the last thing you need is a huge fine for a preventable DPA breach. The ICO has warned public and private organisations to get there houses in order.
IT Governance provides a range of products and services to ensure you are DPA compliant. Whether you need more information about the DPA, training to help you implement a project or tools to ensure compliance, we have the solution for you:
- Data Protection Compliance in the UK – understand your DPA obligations
- Data Protection vs Freedom of Information – understand the difference between these key pieces of legislation
- Complete Data Protection Toolkit – implement your DPA compliance project quickly and cost-effectively with this toolkit
- SafeXs – A secure USB stick with hardware encryption
- DPA Foundation Course – Understand what the DPA is and how to implement a compliance project in your organisation
- DPA Staff Awareness eLearning – Staff training is essential to DPA compliance, eLearning is the most cost-effective way of administering it
The Information Commissioner is cracking down on non-compliant organisations and data breaches.