After a series of breaches where the NHS organisation involved received nothing more than a slap on the wrist the Information Commissioner is finally ratcheting up the pressure on public sector organisations, especially the NHS for breaching the Data Protection Act.

In the latest breach Brighton and Sussex University Hospitals NHS Trust has been fines £320,000 after a serious breach and is the highest ever issued.

The maximum fine was raised to £500,000 in April 2010

It is worth noting that fines under the proposed European Data Protection Act will be considerably higher with numbers in the order of €1 million or 2% of turnover been discussed, see Proposed European wide Data Protection Act – a review.

The Brighton and Sussex University Hospitals NHS Trust involved highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of:

  • Patients’ medical conditions
  • Treatments
  • Disability living allowance forms
  • Children’s reports

It also included documents containing staff details including:

  • National Insurance numbers
  • Home addresses
  • Ward
  • Hospital IDs
  • Information referring to criminal convictions and suspected offences

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.

Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The Trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

“The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”

See previous ICO monetary fines for the NHS