The Information Commissioner (ICO) has fined Brighton and Sussex
University Hospitals NHS trust ("the Trust") a whopping
£325,000 after committing a serious breach
of the Data Protection Act 1988 ("DPA"). This is the
highest data breach fine issued by the information watchdog since
it was granted power to do so in April 2010, and far exceeds its
previous record of a £140,000 fine to Midlothian Council in
January of this year.
The ICO issued the fine after the Trust failed to ensure that
hard-drives containing highly sensitive data of thousands of
patients were wiped, after the task to destroy the information on
around 1,000 of their hard-drives was sub-contracted to an unnamed
individual who came on site to do so. The sub-contractor did not
wipe the hard-drives, was able to remove 252 of them from the room
where he was supervised – which was also accessed by key
code - and 232 were subsequently sold on eBay in October and
The data sold included details of patients' medical
conditions and treatment, disability living allowance forms and
children's reports. It also included documents containing staff
details including National Insurance numbers, home addresses, ward
and hospital IDs, and information referring to criminal convictions
and suspected offences.
The ICO viewed this as a serious breach of patient
confidentiality and said the monetary penalty issued was justified
as the Trust was unable to explain how the contractor concerned was
able to remove the hard-drives, containing the patient information
to be destroyed, from the hospital when he was supervised and did
not know the code for the door.
However, the Trust has disputed the ICO's decision and plans
to raise an appeal since it was able to recover all the hard-drives
concerned and no information got into the public domain, as well as
contending that it cannot afford the fine. The Trust has also
committed to providing a secure central store for hard-drives and
other media, reviewing the process for vetting potential IT
suppliers, obtaining the services of a fully accredited ISO 27001
IT waste disposal company, and making progress towards central
Under the DPA, organisations must take "appropriate
technical and organisational measures against unauthorised or
unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data".
Organisations are also required to take extra care with sensitive
personal data, such as patient medical records.
In the event of a breach of such duties, the ICO has recently
issued guidance on the procedures it
follows when determining monetary penalties. The guidance states
that the watchdog will only impose a monetary penalty if it is
"appropriate" to do so and at a level that is
"reasonable and proportionate, given the particular facts
of the case and the underlying objective in imposing the
The ICO is also obliged to write a notice of intent specifying
the amount it proposes to fine for serious breaches of the DPA and
the reasons why. The ability to pay is one of several factors the
ICO will consider when evaluating the level of penalty that an
organisation should have to pay for its breach. At present, the ICO
has the power to issue penalties of up to £500,000 for
serious data breaches.
The amount fined in this case makes a clear example of the firm
approach the ICO will take in cases where there are data breaches
of personal information.
Do not fall foul of the DPA rules and ensure your organisation
has in place an appropriate audit and security process in order to
tackle potential data breaches, failing which your organisation
could be subject to severe financial penalties.
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The UK Patents Court has found that GSK's patent for the anti-malarial drug Malarone (EP(UK) No. 0670719) is invalid. Malaria is one of the most prevalent tropical diseases, and Malarone is the most successful anti-malarial prophylactic in the UK.
Ever since the introduction of the Community Trade Mark it has been possible to seek registration for "the shape of goods or of their packaging".
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”