The ICO has today announced its largest ever fine for a breach of data protection legislation, £325,000 against Brighton & Sussex University Hospitals NHS Trust. The breach involved a number of its hard drives containing sensitive personal data having been sold to the public via online auction. The Trust was fined even though it was not directly involved in the online sale.
The Trust had contracted its external IT service supplier to carry out the secure destruction of the drives concerned and they engaged another business, run by one individual, to do so.
That person had, without the Trust’s knowledge or authority, removed at least 252 of around 1000 hard drives from the site, at least 232 of which were sold on to the public according to the related police investigation.
The drives contained personal information including patient health data, ethnic data, sexual preference data, criminal offence data and National Insurance numbers, on tens of thousands of patients and staff members.
The Trust was liable for the breach by the external supplier. The ICO has confirmed that the SLA between the Trust and its main provider had expired and that there was no contract in place between that provider and the small business they engaged to help them.
Nor had the main provider carried out more than very basic checks on that other business. The Trust was unable to explain how the drives had been accessed and removed from site by the individual concerned, since the room containing the drives was secured by key code (apparently not provided to the individual), protected by cctv and the individual was normally supervised by the main provider.
However, the individual was not constantly supervised and instead of providing an individual certificate of destruction with the relevant serial number for each hard drive, issued a generic document for all the drives.
This decision is a stark reminder that each data controller is responsible for its own data and for the actions of its processors and sub processors in relation to that data. It reinforces the need for every data controller –
- to put in place appropriate and effective security measures for their data;
- to ensure they have suitable and current contract terms with all providers dealing with that data, not just a token reference to data protection which is meaningless in reality;
- to ensure those terms properly deal with sub contract arrangements;
- to ensure more than lip service is paid to checks on processors before appointment, at all levels; and
- to ensure security of data and compliance with data provisions is properly policed and enforced.
Initially, it appeared in this case from the Trust’s investigation and report to the ICO that, although a regrettable matter, the issue only involved 4 hard drives and so would not proceed further.
The fact that in reality at least 232 were missing and so many individuals were affected contrary to the assurances from the Trust, led to a material change of approach in the enforcement action.
It is critical to ensure that any security breach investigation is thorough and that accurate facts are provided to the ICO.
As a result of the breach, the Trust has had to improve its data security arrangements, including by –
- providing a secure central store for hard drives and other media;
- having a suitable vetting process for IT suppliers; and
- ensuring it uses a fully accredited ISO 27001 IT waste disposal supplier.
These requirements clearly indicate the ICO’s thinking on what measures will be seen as appropriate. All businesses and organisations will now be expected to review and tighten up their security arrangements accordingly.
Failure to do so against this background is unlikely to be viewed leniently by the ICO. The fact that finances are being squeezed will also not be a valid ground for inaction – otherwise, no fine would have been issued to a NHS Trust.