Data destruction and data processors: the importance of maintaining control

The Information Commissioner’s Office (“ICO”) has recently imposed its biggest monetary penalty to date - £325,000 - arising from insufficient data destruction and lack of control over service providers.

Since my last newsflash on monetary penalties for breach of data protection requirements (7 December 2011 - see “07/12/2011 Newsflash: ICO imposes yet another monetary penalty”), there has been a flurry of monetary penalties imposed by the ICO. There have been nine monetary penalties in 2012 to date. Sums ranging from £70k to £140k were imposed following some familiar-sounding incidents: lost or stolen documents, sending information to the wrong recipient and excessive disclosure of personal data.

The highest penalty to date of £325,000 was served on Brighton and Sussex University Hospitals NHS Foundation Trust (“BSUH”) in June 2012. It is believed that at least 232 hard drives which had been ear-marked for destruction in 2010 were instead sold via an internet auction site to several different purchasers. Highly sensitive personal data relating to patients and staff were discovered on the hard drives by some of the purchasers; four drives alone had details of approximately 70,000 patients.

BSUH’s IT services were provided by Sussex Health Informatic Service (“HIS”), who in turn had sub-contracted the destruction of the drives to a company run by one individual. There was no contract in place between BSUH or HIS and the sub-contractor (and the contract between BSUH and HIS had also expired), and only very basic checks on the individual were carried out. The usual procedure for data destruction at the relevant hospital, including issuance of individual certificates of destruction for each drive, were not followed. It is believed that the individual instead removed a large portion of the 1000 de-commissioned drives from the premises and sold them to the auction site.

A couple of important issues leap out to me from this case; aspects of data protection compliance which are often overlooked by organisations, but which can lead to very serious breaches:

• Secure data destruction and deletion. In addressing data security and retention, the end of the data lifecycle must not be forgotten. It is important to adopt and implement appropriate procedures to ensure equipment and data is securely and effectively destroyed when it is no longer needed.
• Maintaining control over processors and sub-processors (such as IT service providers). This means more than including a few data protection clauses in your contract with them (although in this case the contracts were also lacking). It includes checking the reliability of providers, ensuring you are kept aware of any sub-contractors, undertaking appropriate supervision and monitoring (of procedures and compliance). You should also consider whether a provider and the security measures taken are appropriate for specific services and tasks as they arise. For example, if highly confidential and/or sensitive information is involved, more stringent checks and higher standards may be required.

Olivia Whitcroft, principal of OBEP, 7 June 2012

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details