Poor data destruction of sexual health and staff data leads to £325,000 highest ever fine by UK ICO

The UK Information Commissioner (ICO) announced today a record fine of £325,000 on Brighton and Sussex University Hospitals NHS Foundation Trust over failure to properly dispose of around 1,000 computer hard drives. As a result, 252 hard drives, some containing sensitive sexual health and staff data were sold on an internet auction site (previewed in PL&B UK Report May 2012 p.16).

The problem leading to the fine is explained in the ICO’s Monetary Penalty Notice.

The controller worked with an IT provider, Sussex Health Informatics Service (“HIS”) who are accredited by the Department of Health. However, this organisation then sub-contracted the hard disk disposal to one sub-contractor who then sub-contracted to another sub-contractor in a process ultimately without a written contract or an audit trail. Recovered disks contained data on the sexual health details of 67,642 patients in an easily readable format. The individuals could have been subject to blackmail or identity theft.

The ICO explains:

1. the circumstances leading to the fine, including the data security and legal failings

2. the aggravating features the Commissioner has taken into account in determining the amount of a monetary penalty

3. the mitigating features the Commissioner has taken into account in determining the amount of the monetary penalty, including several “behavioural issues” which meant that the maximum fine of £500,000 was not imposed.

This list of behavioural issues shows the ICO’s thinking on how it handles such cases and is, therefore, useful for everyone working in the UK and include:

  • the hospital (the data controller) selected HIS to act as its processor which had been accredited by the Department of Health, and might reasonably have been expected to be familiar with the nature of the personal data in question and the need for appropriate security
  • active attempts made by the data controller to recover the sold hard drives and assist the police in their investigation
  • initial loss of four of the hard drives were voluntarily reported to the ICO
  • a detailed investigation report was compiled
  • remedial action has now been taken
  • the hospital trust was fully cooperative with the ICO.

The ICO is explicitly using this incident as a way of sending a message to all data controllers of the importance of effective data destruction (PL&B UK Report November 2011 p.10). The only good news for the data controller is that the fine will be reduced by 20% if it pays the fine by 26th June.