A London NHS trust fined £90,000 for serious data breach

The Central London Community Healthcare NHS Trust has been fined £90,000 for a serious breach of the Data Protection Act.

The breach began in March 2011 when patient lists intended for a local hospice were faxed from a palliative care unit to the wrong recipient. The unintended recipient telephoned the trust in June 2011 to say it had been receiving the patient lists (which totalled around 45 faxes over a 2-3 month period), but had been shredding them.

The lists contained confidential and sensitive personal data including medical diagnoses, information about the patients’ domestic situations and resuscitation instructions. A total of 59 individuals were affected.

The Information Commissioners Office (ICO) found that the trust had failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient. The trust had also failed to provide the member of staff concerned with sufficient guidance and training on the fax protocol in place between the trust and the intended recipient. No consideration had been given to a possible alternative to the use of faxes, such as secure email.

In imposing the penalty, the ICO took into account the following factors/aggravating features:

the fact that the individuals were receiving palliative care at the time of the breach and the distress which would have been caused by them knowing that their information had been disclosed to a third party;
the fact that the breach was repeated for over a two-month period before being discovered; and
the unintended recipient could not be traced to verify the destruction.

They also took into account the following mitigating features:

there was no previous similar security breach;
there had been no further dissemination of the information as far as the ICO was aware;
there had been no complaints received from the affected data subjects;
there was a voluntary report made to the ICO;
the data subjects were notified;
a detailed investigation was conducted;
substantial remedial action was taken; and
the trust was fully cooperative with the ICO.

The notice can be viewed here.

Register Now As you are not an existing subscriber please register for your free daily legal newsfeed service.

A London NHS trust fined £90,000 for serious data breach

Tags

Related United Kingdom articles

90,000 reasons to consider ongoing data protection training as critical *

NHS trust receives record fine for breaching the Data Protection Act *

UK First-Tier Tribunal dismisses appeal against Information Commissioner's Monetary Penalty Notice *

Monetary penalties: highest private sector penalty imposed on Sony and first published appeal rejected *

Data protection fines perspective on the Pru's £50,000 fine *

Popular articles from this firm

Permitted development changes - to come into force on 30 May 2013 *

The unintended consequences of Jackson *

Judge puts precedence clause in its place! *

Breach is the battle, causation and loss the war *

New CIOB contract - initial impressions *