Data Protection Update: ICO Issues Record Monetary Penalty

The Information Commissioner’s Office (ICO) has issued Brighton and Sussex University Hospitals NHS Trust with a monetary penalty of £325,000 following a serious breach of the Data Protection Act 1998.

This is the largest monetary penalty issued by the ICO since it was first granted the power to hand out penalties of up to £500,000 in April 2010. It is also some £185,000 more than the previous highest penalty of £140,000, issued against Midlothian Council in January 2012.

The breach involved the disclosure of highly sensitive personal data belonging to tens of thousands of patients and staff (including the results of medical tests) contained on hard drives which the Trust failed to ensure were adequately destroyed. The destruction of approximately 1,000 hard drives was subcontracted to an individual engaged by the Trust’s IT service provider. However, rather than destroying the hard drives, the subcontractor removed at least 252 of them from the Trust’s premises and sold them on an internet auction site.

The Trust is to appeal the decision on the basis that all of the hard drives were subsequently recovered and that they can ill afford the fine.

Comment

The ICO is certainly adhering to the promise it made in January 2012 to give “particular regulatory attention” to health organisations as part of its enforcement strategy – indeed, the Trust is the third health organisation to receive a monetary penalty in just over a month.

This case stands as a cautionary reminder to all organisations – and particularly those that process sensitive medical data – to review their data security practices now (including their processes for vetting, and their contracts with, potential IT contractors) as the information watchdog’s bite is rapidly becoming as severe as its bark.

For more information or advice on the contents of this update, please contact Jessica Brickley or Anna Jones.