ICO hands out £200k fine after "truly shocking" data breach at NHS body
The Information Commissioner’s Office has handed out one of its largest ever fines after a data breach by an NHS body that saw the online sale of a computer containing more than 3,000 patient records.
The watchdog described the data breach at NHS Surrey as "truly shocking". However, the body was dissolved at the end of March 2013, with responsibility for paying the £200,000 monetary penalty passing to the NHS Commissioning Board.
After a trial in March 2010, NHS Surrey had engaged a company for hard drive destruction (among other things), even though it had an existing arrangement in place with an approved contractor.
The company had agreed to carry out the service for free, on the basis that it could sell any salvageable materials after the hard drives had been securely destroyed.
The ICO said it understood that the accountable officer for information governance at NHS Surrey had not been involved in that decision.
There was also no written agreement with the company, although the NHS body did receive written assurances that the hard drives would be destroyed.
Further collections took place between 8 March 2010 and 28 May 2012 under the supervision of NHS Surrey’s IT team. Between 10 February 2011 and 28 May 2012 approximately 1,570 PCs with individual hard drives were collected by the company.
On 29 May 2012 a member of the public contacted NHS Surrey to say that he had recently bought a second-hand computer online from a third party company and discovered that it had contained the details of patients.
When it reclaimed the PC and booted up the hard drive using data recovery software, NHS Surrey found that there were 1,428 files. Many of these contained confidential sensitive personal data and HR records. These included patient records relating to approximately 900 adults and 2,000 children.
NHS Surrey subsequently managed to reclaim a further 39 computers sold to the third party company by the trading arm of the new data destruction provider.
Ten of these computers were found to have previously belonged to the NHS body. Three still contained sensitive personal data.
NHS Surrey had mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011. “Some of the ‘Data Devices Destroyed’ certificates issued before January 2011 stated that the hard drives had been ‘wiped/destroyed/recycled’ so it was unclear exactly what had happened to them,” the ICO said in its monetary penalty notice.
Also, according to the ICO, NHS Surrey was “unable to trace the destinations of the remaining PCs collected by the company between 10 February 2011 and 28 May 2012”.
The watchdog’s investigation concluded that – in addition to having no contract in place with the new provider setting out its legal requirements under the Data Protection Act – NHS Surrey had failed to observe and monitor the data destruction process.
Stephen Eckersley, ICO Head of Enforcement, said: “The facts of this breach are truly shocking. NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted. The result was that patients’ information was effectively being sold online.
“This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case. We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”
The board will be required to pay the penalty amount by 22 July or serve a notice of appeal by 5pm on 19 July. The full penalty amount is eventually paid into the Treasury’s Consolidated Fund.