A nasty surprise (it is reported) has just popped through the letterbox at Sussex University Hospitals NHS Trust. A notice from the Information Commissioner, threatening a fine of £375,000 following the theft of computer hard drives full of patient and staff information.

Over 200 hard drives were taken from Brighton General Hospital in September 2010. The trust says it will challenge the proposed penalty, but an Information Commissioner’s Office (ICO) spokesman said they are looking into a possible breach of the Data Protection Act and refused to speculate on what particular action would be taken.

Sussex Police were called in by the trust when a hard drive ended up on Ebay. It seems the trust used a subcontractor to decommission a stack of old hard drives that were then stolen.

The trust chief executive officer says the risk of the information getting out to the public at large is low and that they are the victims of a crime. But the suggested reaction of the ICO highlights their determination to penalise data controllers for failures to manage data security, particularly when sensitive personal information is involved.

Our top tip is to imagine the consequences for, and within, your organisation if this happened to you. Please make sure you have your information governance and data security procedures in “apple-pie” order. How are your contractors performing? Have you done due diligence on them and spot checks?

The size of the proposed fine is way in excess of anything else previously handed out or considered. We wonder if there is more to this story than meets the eye?