The Nursing and Midwifery Council, responsible for regulating nurses and midwives throughout the UK, has been issued with a £150,000 monetary penalty notice after its loss of three unencrypted DVDs put the personal data of a nurse and two vulnerable children at risk.
In preparation for a Fitness to Practice hearing, the Council instructed its employees to package and send by courier three DVDs and some additional evidence to the hearing venue in Cardiff. This package contained highly sensitive and confidential information regarding the nurse, the subject of the allegations and information regarding vulnerable children who were identifiable from the information contained within the package. Although the package was collected and delivered to Cardiff in accordance with the Council’s instructions, once opened at the hearing it was discovered that the three DVDs were missing.
Despite dealing with vast quantities of sensitive personal data on a daily basis and being alert to the fact that videoed witness statements may be put on DVD for use at such hearings, the Council had no internal policies in place to cover the essential encryption of this type of data (whilst held at their offices or whilst in transit).
The ICO found that the levels of security in place were not appropriate to the harm that could be caused to the nurse or the vulnerable children if the data was lost. In addition, the distress that could be caused to the individuals on learning that the DVDs containing such sensitive information were missing was substantial. The ICO determined that the Council knew or ought to have known about these consequences and failed to take appropriate steps to prevent such a breach occurring.
The ICO has the power to issue a civil fine, called a monetary penalty notice, to data controllers which it finds guilty of a serious and deliberate or reckless breach of the DPA's data protection principles and which the ICO believes would be likely to cause substantial damage or substantial distress to affected individuals. The fine can be up to £500,000 per breach. The need to appropriately secure personal data entrusted to an organisation is a key data protection principle and has been the trigger for all but one of the 32 fines issued under the Data Protection Act 1998 ("DPA") since 2011.
The penalty notice issued to the Council continues the trend of such notices being issued against institutions in the health sector for breaches of the DPA. The Council was required to undertake a review of its data sharing policies and, in particular, consider how it was sharing information with third parties. As expected, the recommendations were for the Council to put in place more formal policies and procedures regarding data security, particularly in relation to the encryption of data stored on removable media.
As part of its investigation, the ICO looked at the level of understanding that the Council’s employees has in relation to compliance with the DPA. The ICO believes that employees in the healthcare sector who deal with sensitive personal data on a daily basis should be aware of the risks involved in doing so. Here, the ICO found that the employees should have calculated the potential risk of sending the unencrypted DVDs. This highlights the importance of clear policy documentation and regular training on these issues.
In addition, the ICO referred to its guidance on the encryption of data (published in 2007), indirectly criticising the Council for failing to consider this guidance. This is a helpful reminder that those in the healthcare sector should consider, if they have not already, this guidance as part of any current or future review of their own policies, procedures and training.