Since May 2011 the Information Commissioner’s Office (the “ICO”) has had the power to issue Civil Monetary Penalties (“CMPs”) of up to £500,000 for serious breaches of the Data Protection Act.
Typical breaches where CMPs may be imposed include loss or mishandling of confidential data and unwanted marketing emails and texts.
Over the past few months the ICO has shown an increased readiness to use this power. This follows a spate of high profile cases where sensitive, confidential information has been lost by public authorities and multinational companies.
The largest penalty so far, £325,000, was imposed against Brighton and Sussex University Hospitals NHS Trust in June this year. This followed the discovery that hard drives previously owned by the NHS Trust were being sold on internet auction sites still containing patient information, including medical conditions and treatment details.
The NHS Trust had retained the services of Sussex Health Informatics Services (“Informatics”) to destroy 1,000 hard drives which had been held in a secure room at Brighton General Hospital. A number of these hard drives made their way onto internet auction sites, and the ICO were notified of the infringement by a data retrieval company who had purchased some of them. It transpired that the individual retained by Informatics to destroy the hard drives had managed to remove over 250 of the hard drives from the secure room at the hospital. The size of the penalty reflects the severity of the data breach. The NHS Trust was found to have failed significantly in its duty to its patients and staff. This CPU is one of five recently issued against NHS Trusts who have failed to protect the confidentiality of patient records
These cases are timely reminders to all organisations that process personal data that they need to take appropriate measures to prevent the accidental loss, destruction or damage to personal data. Failing to do so is a breach of the Data Protection Act and can lead to large penalties.
If faced with a security breach, organisations need to act fast to ensure the damage is contained, the information is retrieved if possible, and that the appropriate notifications are made. Depending on the circumstances, this may involve notifying the individual affected, the Information Commission and, in serious cases, the police.
In order to minimise the risk of security breaches happening and being fined by the ICO if they do happen, it is sensible for all organisations to have in place policies and procedures for protecting personal data and for dealing with unauthorised disclosures.