The Central London Community Healthcare NHS Trust has been fined £90,000 for a serious breach of the Data Protection Act.
The breach began in March 2011 when patient lists intended for a local hospice were faxed from a palliative care unit to the wrong recipient. The unintended recipient telephoned the trust in June 2011 to say it had been receiving the patient lists (which totalled around 45 faxes over a 2-3 month period), but had been shredding them.
The lists contained confidential and sensitive personal data including medical diagnoses, information about the patients’ domestic situations and resuscitation instructions. A total of 59 individuals were affected.
The Information Commissioners Office (ICO) found that the trust had failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient. The trust had also failed to provide the member of staff concerned with sufficient guidance and training on the fax protocol in place between the trust and the intended recipient. No consideration had been given to a possible alternative to the use of faxes, such as secure email.
In imposing the penalty, the ICO took into account the following factors/aggravating features:
- the fact that the individuals were receiving palliative care at the time of the breach and the distress which would have been caused by them knowing that their information had been disclosed to a third party;
- the fact that the breach was repeated for over a two-month period before being discovered; and
- the unintended recipient could not be traced to verify the destruction.
They also took into account the following mitigating features:
- there was no previous similar security breach;
- there had been no further dissemination of the information as far as the ICO was aware;
- there had been no complaints received from the affected data subjects;
- there was a voluntary report made to the ICO;
- the data subjects were notified;
- a detailed investigation was conducted;
- substantial remedial action was taken; and
- the trust was fully cooperative with the ICO.
The notice can be viewed here.