The Information Commissioner’s Office (ICO) has issued its biggest ever fine, slapping the Brighton and Sussex University Hospitals NHS Trust with a £325,000 penalty, but the Trust has expressed its dismay at the actions of the data protection authority.
The case has been rumbling on since January, when it emerged that the NHS Trust was facing a huge fine after hard drives containing a massive amount of sensitive personal data were sold on eBay in 2010.
Data on the hard drives included information relating to HIV patients and criminal convictions, as well as staff details including National Insurance numbers, home addresses and ward and hospital IDs.
The ICO and the Trust, which is now appealing to the Information Tribunal, have very different opinions on the nature of the data breach.
Meanwhile, the ICO said a university contacted the watchdog in April 2011 to inform that one of its students had purchased hard drives containing data belonging to the Trust. The Trust was not able to explain how the individual tasked with destroying the hard drives was able to take at least 252 of the approximate 1000 away from the room in which they were stored, the ICO said.
“They [the individual] are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible,” the ICO said in a statement.
“The Trust failed significantly in its duty to its patients, and also to its staff,” added the ICO’s deputy commissioner David Smith.
Brighton and Sussex University Hospitals NHS Trust said it could not afford to pay the fine, claiming it could not understand why it had been hit by such a substantial monetary penalty, nor why the information commissioner ignored its appeals.
“The Information Commissioner has ignored our extensive representations,” Selbie added. “It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’.
“We dispute the information commissioner’s findings, especially that we were reckless, a requirement for any fine.”
Back in January, the proposed fine was set even higher, at £375,000. The £325,000 is still a record for an ICO data breach fine, far surpassing the £140,000 that Midlothian Council was hit with in January.
The ICO has started cracking down on NHS carelessness, issuing the body with its first fine in April.
Are you a security guru? Test yourself with our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
We hear far too many times that companies have previously used an IT recycling company who will data destroy their hard drives, only to find that they never receive the certificate of data destruction they were promised.
These types of companies are the reason why your data is being left on the hard drives, and ending up on eBay for resale. Even the NHS got caught out themselves, only to receive a huge fine.
If you are looking for a company that will data destroy your hard drives correctly and supply the certificate you are promised, please follow the link provided below.
http://www.computer-recycling-and-removals.co.uk/hard-drive-shredding-data-destruction.htm