Over the past two months, the Information Commissioner's Office (ICO) has issued four significant Civil Monetary Penalties (CMP) to NHS Trusts for breaches of the Data Protection Act 1998 (DPA), including its highest ever CMP of £325,000 to Brighton and Sussex University Hospitals NHS Trust.
The ICO has the power to impose CMPs of up to £500,000 for serious breaches of the DPA that cause, or are likely to cause, substantial damage or distress to individuals. While the ICO's power to issue CMPs is relatively new, having been introduced in April 2010, in the short time the power has been available the ICO has issued 21 penalty notices in total, with a combined total value of over £2 million.
Brighton and Sussex University Hospitals NHS Trust were fined £325,000 and required to undertake remedial measures after an individual, engaged by the Trust’s IT service provider, who was tasked to destroy approximately 1000 of the Trust's old hard drives removed at least 252 of those hard drives and subsequently sold them on an Internet auction site. The hard drives contained highly sensitive personal data of tens of thousands of patients, including details of patients’ medical conditions and treatment, disability living allowance forms, children’s reports, as well as NHS staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.
A CMP of £60,000 was issued to St George’s Healthcare NHS Trust in London after a vulnerable individual’s sensitive medical details were sent to the wrong address. While the letters were addressed to the correct individual, they were sent to his old address despite the fact the individual had not lived at that property for nearly five years and had provided the Trust's staff with his correct address before his medical examination took place.
A CMP of £225,000 was issued to the Belfast Health and Social Care Trust when a disused hospital under the management of the Trust was accessed by trespassers, who obtained sensitive personal data (including medical records) of thousands of patients and staff that had been left on the site and then posted that information online.
Central London Community Healthcare NHS Trust received a CMP of £90,000 after approximately 45 faxes containing sensitive personal data of 59 patients were sent by the Pembridge Palliative Care Unit to the wrong recipient over a three month period.
These recent cases serve as a timely reminder to both private and public sector organisations of the need to have in place, and regularly review, appropriate technical and organisational procedures and policies to keep the personal data that they hold secure and to prevent unauthorised access, use and disclosure to such data. Where sensitive personal data, such as health records, is involved the need to be cautious is even greater.