Record Data Protection Fine Issued
Brighton and Sussex University Hospitals NHS Trust hasbeen handed the largest fine so far under the Data Protection Act1998. The £325,000 fine was issued following the theft of computerhard drives containing confidential information on thousands ofpatients and staff in September 2010. It is understood that theTrust is going to appeal the fine, which it says it cannot afford,and denies that it was reckless in its actions.
The lost information, which was later discovered on harddrives sold on eBay, included details of patients` medicalconditions and treatment, benefits forms and reports, as well asemployees` National Insurance numbers, home addresses, ward andhospital IDs, and information referring to criminal convictions andsuspected offences.
The ICO`s deputy commissioner David Smith said the finereflected the gravity and scale of the data breach:
"It sets an example for all organisations - both public andprivate - of the importance of keeping personal informationsecure."
Commenting on the ICO`s announcement, Tom Morrison, a Partnerin the Commercial & IP Team at Rollits LLP, said:
"It would be wrong to say that this is the largest fine everissued for a data loss - there have been much larger fines issuedto the banking sector under their own rules - but this is thelargest by far under the Data Protection Act pursuant to the ICO`snew power where a fine can be issued without taking the allegedwrongdoer to court.
"It is clear from quotes which have been published that theTrust disagrees with the assessment made by the ICO and that itviews the fine as unduly harsh - it is two and a half times thenext largest issued to date. By contrast the ICO is sending out astrong message about where it sets the bar and where data breachessuch as this sit on its scale of seriousness. The ICO took sometime to finalise the level of the fine, so it will be interestingto see the outcome of the appeal. In the meantime the message fromthe ICO has come across loud and clear."
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.