ICO Fine of the NHS Trust – Who Owns the Risk?

If you have an NHS card, receive NHS treatment and have ever been to hospital, raise your hand…either a lot of us all want to leave the room at the same time, or this particular kind of breach can affect pretty much everyone from the UK.

From the ICO website:

“NHS Hospital Trust  receives a Civil Monetary Penalty (CMP) for serious data breach.

Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) said today.

The fine is the highest issued by the ICO since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.”

You can read the full piece here.

Discussion of this penalty in various places online, has raised a variety of questions and opinions. Some people feeling, even within the Data Protection community, that this was ‘too harsh’ (source: Linkedin European Data Protection Forum discussion) Others, with a due sense of subject fatigue, feeling that not only was it right but that it is a bit more like the kind of penalty the ICO needs to be handing out and not just to the public sector either.

Looking at this particular breach and reading the arguments that the penalty was too high makes me wonder if people understand the risk scenario. The task of destroying these hard drives was out-sourced. They were still owned by the trust and they were still guardians of this data.

It looks like a failure of Risk Management that this occurred and one would question if proper due diligence was performed on the contractor tasked with this. A decent Risk Assessment would have suggested that they either sanitise the data prior to disposal or procure an on-site disposal service – the supplier of which should have been sourced from a reputable list like SEAP. I guess you get what you pay for.

The bottom line is the buck stops with the Trust, they were guardians of this data. They out-sourced the task not the risk or accountability. If the Chief Executive is the SIRO, which they should be, should they be made personally accountable for incidents like this? CESG guidance is very clear on how highly sensitive data should be handled in these circumstances, so there really is no excuse.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s