The Information Commissioner’s Office has fined Whitehead Nursing Home £15,000 for failing to keep personal information secure. This is a fairly high penalty for such a small business. A reminder, therefore, of the importance of having data protection and IT policies and training.
A member of staff took an unencrypted laptop home which was stolen during a burglary. It contained sensitive personal data about 46 members of staff (including sickness and disciplinary records) and 29 residents (including age, health information and ‘do not resuscitate’ status). The ICO launched an investigation after the nursing home reported the incident.
The investigation revealed major flaws in the nursing home’s approach to data protection. There were no policies dealing with encryption, homeworking or storage and security of mobile data. The home had also failed to provide adequate data protection training.
In the ICO’s view this was a serious oversight rather than an intentional breach. However, because the nursing home should have known that this type of incident could occur, £15,000 was an appropriate penalty. A bigger organisation would have received a larger fine.
This case serves as a reminder of the importance of data protection and IT policies and training. In particular these should cover rules and guidance on:
- equipment and data security;
- passwords and encryption;
- travelling with mobile devices;
- working from home;
- taking personal data out of the workplace.
The General Data Protection Regulation
Going forward, there is likely to be an increased focus on data protection. The EU General Data Protection Regulation is due to come into force in May 2018 introducing tougher rules on organisations that handle personal data and higher penalties. It seems that businesses will need to prepare for the introduction of the GDPR despite the prospect of Brexit.