ICO issues first NHS fine

Several National Health Service (NHS) Trusts have received Undertakings from the ICO, but on 30 April  the regulator issued the Aneurin Bevan Health Board (ABHB) a penalty of £70,000, making ABHB the first NHS organisation to be served a civil monetary penalty.

ABHB accidentally sent a sensitive report containing explicit details relating to a patient’s health to the wrong person. While the ICO says that this is a serious breach of the DP Act, the level of fine is far off the maximum of £500,000. The ICO has previously said that its objective in fining organisations is to promote compliance and that the level of this particular fine is ‘reasonable and proportionate given the particular facts of the case’. 

The ICO said that the fault lies with inadequate training and checks. The members of staff in question had in fact not received any data protection training. The organisation has now agreed to organise training for all staff. It has also made a commitment to monitor compliance with data protection policies and IT security. In particular, the ICO wants the Health Board to ensure that letters containing confidential and sensitive personal data are not despatched unless the patient’s name has been carefully checked against at least one unique identifier.

Stephen Eckersley, the ICO’s Head of Enforcement said:
“We are pleased that the Health Board has now committed to taking action to address the problems highlighted by our investigation; however organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”

If the organisation pays by 23 May it will receive a 20% reduction. This is in line with several other organisations that have seen their fines reduced from the original ones. A big fine in the pipeline - £375,000 for the Brighton and Sussex University Hospitals NHS Trust has not yet been confirmed. The Trust told PL&B that it has appealed the ICO’s notice of intent, but would not release any details when responding to a PL&B FOI request.

See the ICO monetary penalty on ABHB.