IP, Technology & Data

The Information Commissioner’s Office (ICO) has served Brighton and Sussex University Hospitals NHS Trust with a £325,000 fine following a breach of the Data Protection Act (DPA).

This is the largest fine the ICO has issued to date. The ICO was granted the power to fine public and private organisations for breaches of DPA in April 2010 to a maximum of £500,000. Since then, it has issued a total of 18 monetary penalties – but until now the penalties issued have been decidedly lower the cap – averaging at £82,000.


The fine follows the discovery of highly sensitive personal data belonging to thousands of staff and patients of the Trust on hard drives which, destined for secure destruction, somehow ended up for sale on an internet auction site. Out of 1000 hard drives earmarked for destruction, at least 252 were removed by an employee of the Trust’s IT services provider.

The personal data that was on the hard drives ranged from contact details and criminal convictions of members of staff to highly sensitive medical data about patients being treated in the Trust’s HIV and Genito Urinary Medicine units.

Why such a high fine?

As Martin has blogged previously, the more sensitive the data (and the more harm and distress that might arise in the event of its loss or unauthorised disclosure), the more the ICO expects data controllers to do to guard against such loss or unauthorised access. In this case, the data disclosed was highly sensitive and the breach considerable.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

“The amount of the [fine] issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”

When the ICO confirmed its intention to issue this fine back in January Grant blogged on how well the monetary penalty regime works as a deterrent.

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me