ICO says £325k fine "sets an example" but NHS trust vows to appeal
A record £325,000 fine handed down this week to a NHS trust for a data breach “sets an example for all organisations - both public and private”, the Information Commissioner’s Office has said.
The fine was levied after the discovery that hard drives containing data from the Brighton and Sussex University Hospitals NHS Trust (BSUH) were sold on an Internet auction site.
BSUH had admitted in January this year that it was facing the prospect of a large fine over the incident. However, the fine levied is slightly lower than the £375,000 figure set out by the ICO in an initial notice of intent.
In a statement, chief executive Duncan Selbie said the trust “simply cannot afford to pay a £325,000 fine and was therefore appealing to the Information Tribunal.”
The previous record fine (£140,000) was imposed on Midlothian Council for disclosing sensitive data relating to children and their carers to the wrong recipients on five separate occasions.
The £325,000 monetary penalty was imposed on BSUH after an ICO investigation into the sale of hard drives on eBay in October 2010 and November 2010.
According to the watchdog, the hard drives contained highly sensitive personal data belonging to more than 70,000 patients and staff. HIV and Genito Urinary Medicine (GUM) patients were among those affected.
The hard drives included:
- Details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports;
- Documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.
The incident arose over the intended destruction of approximately 1,000 hard drives. BSUH’s IT service provider was Sussex Health Informatics Service (HIS), although the arrangement between the two organisations was evidenced in a service level agreement that had expired.
Pending destruction, the hard drives were kept in a room accessed by key code at Brighton General Hospital in September and October 2010.
HIS sometimes sub-contracted work if it could not handle the work itself, typically to ‘Company A’.
Company A could not destroy hard drives, so recommended a second business run by an individual, ‘Company B’. But there was no contract in place between HIS and the individual’s company and only very basic checks were made by HIS on the individual’s credentials.
According to the ICO, BSUH was apparently unaware that HIS had engaged the individual to destroy the hard drives at the hospital.
The individual attended the hospital from 28-30 September and 14-15 October to carry out the destruction.
The ICO said it understood that the hard drives should have been destroyed in the former X-Ray department which also could only be accessed using a key code.
On completion of the work a ‘certificate of destruction’ should have been obtained from the individual containing serial numbers for each drive. “Instead, only one generic document was provided for the whole batch,” the ICO said.
In December 2010, a data recovery company bought four hard drives from a seller via eBay. The seller had purchased them from the individual engaged by HIS. This incident was voluntarily reported by BSUH to the ICO.
The watchdog said it received assurances in its initial investigation following the December 2010 discovery that only those four hard drives were affected and that all the other hard drives awaiting destruction had been secured.
But a university contacted the watchdog in April 2011 to say that one of its students had purchased hard drives via an Internet auction site as part of his computing studies. At least 15 out of 20 drives examined by the ICO contained data belonging to the trust.
As a result of a police investigation, the ICO said it understood that the individual sold at least 232 of BSUH’s hard drives on an auction site.
According to the ICO, BSUH “has been unable to explain how the individual removed at least 252 of the 1,000 hard drives he was supposed to be destroying from the hospital during his five days on premises”.
It added that the individual was not believed to have known the key code needed to access the separate rooms where the drives were stored and destroyed. The individual was usually but not constantly supervised by staff working for HIS.
BSUH acknowledged, however, that the individual would have left the building for breaks, and that the hospital was publicly accessible.
The trust has told the ICO it is confident that the individual destroyed the majority of the hard drives on the premises “even though there were no audit trails and inventory logs of the movement of and destruction of the hard drives to support this view”.
The 232 hard drives have all been accounted for, but not all have been recovered.
The ICO’s monetary penalty notice said the aggravating features that affected the level of the fine were the highly sensitive nature of some of the personal data, the “huge amount” of personal data involved and that BSUH had the financial resources to pay “without causing undue financial hardship”.
Mitigating features included that the security breach had (to the ICO’s knowledge) been relatively contained, the contravention was exacerbated by circumstances outside the direct control of BSUH and the trust had been fully cooperative.
The notice also said that BSUH had selected HIS to act as its processor, “which had been accredited by the Department of Health, and might reasonably have been expected to be familiar with the nature of the personal data in question and the need for appropriate security.”
The ICO’s Deputy Commissioner and Director of Data Protection, David Smith, said: “The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations - both public and private - of the importance of keeping personal information secure.
“That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”
BSUH has made a number of commitments following the ICO investigation, including to:
- provide a secure central store for hard drives and other media;
- review the process for vetting potential IT suppliers;
- obtain the services of a fully accredited ISO 27001 IT waste disposal company; and
- make progress towards central network access.
However, it will appeal the fine before the First-Tier Tribunal (Information Rights).
Chief Executive Duncan Selbie said: “We dispute the Information Commissioner’s findings, especially that we were reckless, a requirement for any fine. We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. No sensitive data has therefore entered the public domain.”
Selbie pointed out that it had voluntarily reported “all of this” to the ICO, and claimed that he had been told by the watchdog in the summer of 2011 that this was not a case worthy of a fine.
BSUH’s chief executive added that the ICO had ignored its extensive representations.
“It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’,” he said.
Selbie added: “In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”
Earlier this month the Central London Community Healthcare NHS Trust said it would be instructing lawyers to appeal a £90,000 fine imposed by the ICO after data was faxed to the wrong recipient.
The BSUH case and the CLCH case will be the first legal challenges to a monetary penalty issued by the watchdog under s. 55A of the Data Protection Act 1998.
Philip Hoult