The Information Commissioner’s Office (“ICO”) has recently imposed its biggest monetary penalty to date - £325,000 - arising from insufficient data destruction and lack of control over service providers.
Since my last newsflash on monetary penalties for breach of data protection requirements (7 December 2011 - see “07/12/2011 Newsflash: ICO imposes yet another monetary penalty”), there has been a flurry of monetary penalties imposed by the ICO. There have been nine monetary penalties in 2012 to date. Sums ranging from £70k to £140k were imposed following some familiar-sounding incidents: lost or stolen documents, sending information to the wrong recipient and excessive disclosure of personal data.
The highest penalty to date of £325,000 was served on Brighton and Sussex University Hospitals NHS Foundation Trust (“BSUH”) in June 2012. It is believed that at least 232 hard drives which had been ear-marked for destruction in 2010 were instead sold via an internet auction site to several different purchasers. Highly sensitive personal data relating to patients and staff were discovered on the hard drives by some of the purchasers; four drives alone had details of approximately 70,000 patients.
BSUH’s IT services were provided by Sussex Health Informatic Service (“HIS”), who in turn had sub-contracted the destruction of the drives to a company run by one individual. There was no contract in place between BSUH or HIS and the sub-contractor (and the contract between BSUH and HIS had also expired), and only very basic checks on the individual were carried out. The usual procedure for data destruction at the relevant hospital, including issuance of individual certificates of destruction for each drive, were not followed. It is believed that the individual instead removed a large portion of the 1000 de-commissioned drives from the premises and sold them to the auction site.
A couple of important issues leap out to me from this case; aspects of data protection compliance which are often overlooked by organisations, but which can lead to very serious breaches:
Olivia Whitcroft, principal of OBEP, 7 June 2012
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details