Where there has been a breach of the Data Protection Act 1998, the Information Commissioner’s Office (“ICO”) has a number of options open to it depending on the seriousness of the breach. The most severe action the ICO can take is issuing fines (which can be up to £500,000 under current legislation) or instigating criminal prosecutions. However, where more minor breaches have occurred, the ICO may consider serving an enforcement notice (requiring an organisation to take (or refrain from taking) specified steps to ensure compliance with the law) or issuing an undertaking (committing an organisation to a particular course of action in order to improve its compliance).
Recently, the South West Yorkshire Partnership NHS Foundation Trust (the “Trust”) was required to give undertakings in consideration of the ICO not exercising its powers to serve an enforcement notice.
The Trust had sent patient data to the wrong address on a number of occasions: two separate incidents involved correspondence addressed to two different patients being put into one envelope and two other incidents concerned patient information being sent to the wrong address. All incidents related to sensitive personal data and were breaches of the seventh data protection principle [1], in particular the requirement that “the data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.”
When the ICO investigated the breaches, it considered that the Trust’s response had not gone far enough. For example, the Trust had taken steps to prevent such breaches reoccurring by sending out details of the breaches to staff along with reminders of the need to check the content of correspondence and the address before sending. However, the Trust did not formalise this in any policy or procedure. Furthermore, whilst the Trust investigated each incident, this took some time, the investigations were not very detailed and no disciplinary action was taken (although the Trust did consider all incidents related to human error).
The ICO required the Trust to give undertakings ensuring that:
- it updated its Safe Haven Policy to provide guidance on checking the contents of correspondence before it is sent, for all methods of communication;
- the guidance provided on checking contact details on every contact is formalised in an appropriate policy;
- all security incidents involving personal data are thoroughly investigated, with any remedial actions and measures clearly established and given a timeframe for completion; and
- it implemented such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.
It is interesting that the ICO considered that merely notifying the employees of the breaches and reminding them to perform checks was not sufficient and that guidance needed to be formally including in policy documentation. It is also noteworthy that the ICO required timely and thorough investigations of security incidents with remedial actions and measures to be clearly determined.
The ICO will conduct a follow-up assessment in a few months’ time to ensure that the Trust is complying with the undertaking e.g. that it has formally included guidance in its policy documentation.
Current trends published by the ICO show that the health sector in the twelve months to 28 April 2015 had the greatest number of data protection incidents and that these were mostly to do with loss or theft of paperwork or were breach of the seventh data protection principle. Proper cure of breaches where they occur to ensure an overall reduction is necessary to build public confidence in the future centralisation of health records in the UK.
