An NHS Trust in Northern Ireland has been fined £225,000 by the ICO, following unauthorised access by trespassers to medical and staff records held in a disused building.
The fine is the second highest to date issued by the ICO, beaten only by that issued last month to Brighton and Sussex University Hospitals Trust.
The Trust was formed by an amalgamation of a number of acute and community NHS Trusts in April 2007, taking over responsibility for more than 50 disused sites. Patient and staff records were stored at one of the sites, which had been closed the previous year. The Trust did deploy manned security guards on the site, but within a number of months the existing CCTV system on the site was failing. Trespassers gained access to the site and took photographs of the records, which were then posted on the internet. The Trust became aware of the issue in March 2010.
Upon becoming aware of the unauthorised access, the Trust arranged for an inspection of seven of the 40 or so buildings onsite, and discovered a large quantity of records. However, rather than remove the records, the Trust instead carried out some remedial work to the site, including the repair damaged doors and windows and increased foot patrols.
A year or so later media reported that the security of the records had again been comprises. A further inspection was carried out, which revealed the full extent of the problem, including that many records had been retained in breach of the Trust’s records retention policy. Records on site included 100,000 medical records, and 15,000 staff records, including unopened wage slips. The records were found stored in boxes, in cabinets, on shelves or on the floor.
Reasons for the fine
A number of factors counted against the Trust and led to the large fine:
- The Trust did not carry out an inspection when it took over responsibility for the site – it simply didn’t appear to know about the records stored on the site;
- The data involved was highly confidential and sensitive;
- It took the Trust nearly four years to fully decommission the site (and it only became aware of the records as a result of a report from a third party);
- The breaches arose because of the negligent behaviour of the Trust in failing to take appropriate technical and organisational measures against unauthorised loss of personal data;
- The Trust did not report the breaches to the ICO.
It is no accident that the largest two fines to date have been issued to organisations in the NHS.
NHS bodies handle some of the most sensitive data relating to an individual, and the consequences of unauthorised access or disclosure can be particularly distressing and damaging for the data subjects.
As I have noted previously, the level of effort the Data Protection Act requires data controllers to take in relation to preventing unauthorised access or disclosure is directly linked to the harm that might be caused to data subjects from that unauthorised access or disclosure. It is not dependant upon the risk of an incident occurring, and the fact that the disclosure arose as a result of a deliberate act by a third party makes little difference.
The fine is another timely reminder for those organisations involved in processing highly sensitive personal data to ensure that they are fully aware of the data that they hold, and that they have in place (and have implemented) robust informations security and data retention policies to protect that personal data against unauthorised access or disclosure. It is not simply a case of assessing the likelihood of a breach occurring, but rather what damage might occur if the worst does happen.
On June 19, 2012