Digital Transformation

ICO issues record £325,000 fine to NHS trust

Brighton and Sussex University Hospitals NHS Trust found guilty of breaching the Data Protection Act

The Information Commissioner’s Office (ICO) has issued the Brighton and Sussex University Hospitals NHS Trust with a £325,000 fine – the highest such punishment ever handed out via the Civil Monetary Penalty (CMP) scheme – due to a "serious breach of the Data Protection Act".

With the incident reportedly a result of an individual removing hospital hard drives that they had been told to destroy and instead selling them online, an ICO investigation found that around 252 drives which contained the personal information of staff and patients had been compromised as a result.

"The amount of the CMP issued in this case reflects the gravity and scale of the data breach," said the ICO’s deputy commissioner and director of data protection, David Smith. "It sets an example for all organisations – both public and private – of the importance of keeping personal information secure."

Considering that the hard drives are said to have contained records regarding both staff and patients – including the likes of addresses, national insurance numbers and medical conditions – it seems that a significant number of people may have had their personal information exposed to potential thieves.

Indeed, given that the drives were sold over an internet auction site, it appears that there is a strong possibility that they could have fallen into the wrong hands.

In spite of the event, the NHS trust says it plans to appeal against the punishment, claiming that it was not reckless in the handling of the sensitive files – a condition which has to be proven if a fine is to be imposed.

"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay," said the chief executive of Brighton and Sussex University Hospitals, Duncan Selbie.