Out-Law / Your Daily Need-To-Know

NHS Trust to appeal against £325k patient data breach fine

Out-Law News | 01 Jun 2012 | 5:20 pm | 4 min. read

An NHS Trust in England has been issued with the heaviest ever fine for a breach of data protection laws by the Information Commissioner's Office (ICO) after "highly sensitive personal data" was stolen from a hospital under its control and sold on eBay.

The ICO has levied a fine http://www.ico.gov.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Notices/bsuh_monetary_penalty_notice.ashx (14-page / 189KB PDF) of £325,000 on Brighton and Sussex University Hospitals NHS Foundation Trust (BSUH) over the breach, marking a near-£200,000 difference between the punishment in this case and the highest fine the watchdog had previously issued.

However, BSUH has said it cannot afford to pay the fine, despite the ICO's insistence that it has "sufficient financial resources" to do so, and that it would appeal against the decision.

In 2010 BSUH contracted a company to remove and destroy approximately 1000 computer hard drives containing "highly sensitive personal data" from a secure room at Brighton General Hospital. However, the individual contracted to do the work sold some of the hard drives on eBay.

The personal data contained on the hard drives related to tens of thousands of patients and staff, the ICO said. Details of individuals' medical condition and treatments, including in relation to HIV cases, as well as home addresses, ward and hospital ID numbers and information about criminal convictions and suspected offences were among the records stored on the stolen hard drives.

A data recovery company bought four hard drives from the contractor on eBay, but despite assurances from BSUH that no other personal data had been stolen, a university later reported that a student had also bought 20 hard drives from the individual via the site, the ICO said. In total 252 hard drives were removed from the securing room during the five days the individual spent on site at Brighton General Hospital.

The watchdog said BSUH "has been unable to explain" how the individual managed to remove the hard drives, but that it had acknowledged that the person had not always been supervised and had had access to the hospital, even though the room in which the drives were stored required 'key code' access.

"The amount of the [civil monetary penalty] issued in this case reflects the gravity and scale of the data breach," David Smith, deputy Information Commissioner, said in a statement. "It sets an example for all organisations - both public and private - of the importance of keeping personal information secure."

"That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff," he added.

BSUH said it contests the ICO's reasons for its punishment.

"We dispute the information commissioner's findings, especially that we were reckless, a requirement for any fine," Duncan Selbie, chief executive of BSUH said, according to a report http://www.guardian.co.uk/government-computing-network/2012/jun/01/ico-data-breach-brighton-nhs?newsfeed=true by the Guardian. "We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay."

"No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the Information Commissioner's Office, which told me last summer that this was not a case worthy of a fine. The information commissioner has ignored our extensive representations."

"It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would 'prejudice the monetary penalty process'. In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the information tribunal," Selbie said.

Under the Data Protection Act (DPA) organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The law requires organisations to be extra protective over sensitive personal data, such as patient medical records.

Under the DPA the ICO has the power to issue penalties of up to £500,000 for serious data breaches.

The ICO has issued guidance on the procedures it follows when determining whether and how much to fine organisations. The guidance states that the watchdog will only impose a monetary penalty if it is "appropriate" to do so and at a level that is "reasonable and proportionate, given the particular facts of the case and the underlying objective in imposing the penalty".

Whether a penalty is reasonable and proportionate or even appropriate at all depends on "the particular facts and circumstances" of individual cases and the "representations" that organisations are permitted to make to explain the incident.

The ICO is obliged to write a notice of intent detailing the amount it proposes to fine organisations or individuals for serious breaches of the DPA and the reasons why. The notice must also set out the right of the body or person to make their representations in response. The ICO's guidance states that the representations can include "comment on the facts and views" of the Commissioner, "general remarks on the case" or details of their financial situation. The ability to pay is one of several factors that the ICO has said it considers when evaluating the level of penalty organisations should have to pay for breaching the DPA.

Following this stage the ICO reassesses the individual cases and serves a finalised monetary penalty notice, if it chooses to issue one, on the organisation or individual.

The ICO had initially proposed serving BSUH with a £375,000 civil monetary penalty but reduced this figure by £50,000 when delivering its final notice. If BSUH opts to pay the penalty by 25 June, the ICO said it only need pay £260,000.

The highest data breach fine the ICO had previously handed out was £140,000 to Midlothian Council in January this year.