NHS Trust To Appeal ICO Fine
Central London Community Healthcare NHS Trust says ICO has “acted incorrectly”
The Central London Community Healthcare (CLCH) NHS Trust has told TechWeekEurope that it intends to appeal the £90,000 fine it was issued by the Information Commissioner’s Office (ICO) for a serious breach of the data Protection Act (DPA).
CLCH said that it had cooperate fully with the ICO investigation and that it had since taken a number of measures to prevent such an incident happening again.
Three months
The breach first occurred in March last year when patient lists from Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient, who then alerted the Trust. In total, 45 faxes were sent over a three month period.
The faxes contained sensitive personal data about 59 individuals, including medical diagnoses, information about the patients’ domestic situation and resuscitation instructions, but were shredded by the accidental recipient.
“Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure, said Stephen Eckersley, the ICO’s head of enforcement. “The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying.”
The ICO said its investigation found that the Trust failed to have sufficient checks in place and that the member of staff who made the error had not received the appropriate data protection guidance and training.
Appeal incoming
However CLCH believes that the ICO has acted incorrectly and that the penalty is too harsh.
“CLCH looks after around 150,000 new patients every year so protecting patient confidentiality is one of our top priorities,” said a spokesperson. It is hugely regrettable that this incident, which was down to human error, happened and we have apologised to all the individuals and families who were affected by this mistake.
“We have conducted our own internal investigation and taken a number of actions to reduce the risk of such an incident happening again including the phasing out of the use of faxes in favour of more secure email and phone systems.”
“We also reported ourselves to the Information Commissioner and fully co-operated with his investigation,” they added. “However, we deeply regret that the Information Commissioner has decided to impose a fine and so we have instructed our lawyers to commence an appeal against this. We consider that the Commissioner has acted incorrectly as a matter of law and so we have no alternative but to bring an appeal.”
The fine is unlikely to improve the NHS’ poor reputation for protecting patients’ data; the organisation was hit with its first fine in April when the Aneruin Bevan Health Board in Wales was issued a £70,000 penalty for send a sensitive report to the wrong person.
Only last week, the ICO fined Barnet Borough Council for a data breach and the organisers of the London Marathon are under investigation for posting participants’ personal details on the event’s official website.
What do you know about privacy? Find out with our quiz!