ICO issues £225,000 fine following failure to adequately protect paper records on disused site

An NHS Trust in Northern Ireland has been fined £225,000 by the ICO, following unauthorised access by tresspassers to medical and staff records held in a disused building.

The fine is the second highest to date issued by the ICO, beaten only by that issued last month to Brighton and Sussex University Hospitals Trust.

Background
The Trust was formed by an amalgamation of a number of acute and community NHS Trusts in April 2007, taking over responsibility for more than 50 disused sites. Patient and staff records were stored at one of the sites, which had been closed the previous year. The Trust did deploy manned security guards on the site, but within a number of months the existing CCTV system on the site was failing. Tresspassers gained access to the site and took photographs of the records, which were then posted on the internet. The Trust became aware of the issue in March 2010.

Upon becoming aware of the unauthorised access, the Trust arranged for an inspection of seven of the 40 or so buildings onsite, and discovered a large quantity of records. However, rather than remove the records, the Trust instead carried out some remedial work to the site, including the repair damaged doors and windows and increased foot patrols.

A year or so later media reportes that the security of the records had again been comprimises. A further inspection was carried out, which revealed the full extent of the problem, including that many records had been retained in breach of the Trust’s records retention policy. Records on site included 100,000 medical records, and 15,000 staff records, including unopened wage slips. The records were found stored in boxes, in cabinets, on shelves or on the floor.

Reasons for the fine
A number of factors counted against the Trust and led to the large fine:

  • The Trust did not carry out an inspection when it took over responsibility for the site – it simply didn’t appear to know about the records stored on the site;
  • The data involved was highly confidential and sensitive;
  • It took the Trust nearly four years to fully decommission the site (and it only became aware of the records as a result of a report from a third party);
  • The breaches arose because of the negligent behaviour of the Trust in failing to take appropriate technical and organisational measures against unauthorised loss of personal data;
  • The Trust did not report the breaches to the ICO.

Comment
It is no accident that the largest two fines to date have been issued to organsations in the NHS.

NHS bodies handle some of the most sensitive data relating to an individual, and the consequences of unauthorised access or disclosure can be particularly distressing and damaging for the data subjects.

As I have noted previously, the level of effort the Data Protection Act requires data controllers to take in relation to preventing unauthorised access or disclosure is directly linked to the harm that might be caused to data subjects from that unauthorised access or disclosure. It is not dependant upon the risk of an incident occurring, and the fact that the disclosure arose as a result of a deliberate act by a third party makes little difference.

The fine is another timely reminder for those organisations involved in processing highly sensitive personal data to ensure that they are fully aware of the data that they hold, and that they have in place (and have implemented) robust informations security and data retention policies to protect that personal data against unauthorised access or disclosure. It is not simply a case of assessing the likelihood of a breach occurring, but rather what damage might occur if the worst does happen.

0 Responses to “ICO issues £225,000 fine following failure to adequately protect paper records on disused site”



  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Twitter: @BrodiesTechBlog feed

June 2012
M T W T F S S
« May   Jul »
 123
45678910
11121314151617
18192021222324
252627282930  

%d bloggers like this: