ICO fines NHS £70,000
The Information Commissioner’s Office has issued its first, significant monetary penalty following a serious data protection breach by an NHS body
The Information Commissioner’s Office (“ICO”) has taken action following an administrative error by Welsh health board, Aneurin Bevan Health Board (“ABHB”), which led to a serious breach of the Data Protection Act 1998 (“DPA”).
As the ICO gets used to using its new powers to issue substantial fines, all organizations which handle personal data need to ensure they are complying with their obligations under the DPA and have the necessary measures in place to avoid serious breaches occurring.
Section 55 of the DPA came into force on 6 April 2010 and allows the ICO, where there has been a serious contravention of the Act, to serve a monetary penalty notice on data controllers. The maximum penalty that can be imposed is £500,000.
What did they do wrong?
The error, which occurred in March 2011, meant that a highly sensitive report containing details of a patient’s health was sent to a former patient who had a similar name. A letter which had been drafted by a consultant and emailed to his secretary for formatting failed to identify accurately the patient to whom it should have been sent. The draft letter misspelt the name of the patient and did not contain sufficient additional details to identify the patient concerned. Furthermore, the letter was not checked prior to it being sent.
The investigation carried out by the ICO into the incident concluded that ABHB did not have in place sufficient checks to prevent personal data being sent to the wrong person and that the members of staff involved had not received any DPA training. An exacerbating factor was that the inadequate procedures followed in this instance were replicated across ABHB.
What was the penalty?
As a result of this incident ABHB has become the first NHS organization to be fined by the ICO.
The ICO has not only issued a fine of £70,000 to ABHB (which will be reduced to £56,000 if early payment is received) but also required it to sign an undertaking with a view to ensuring that all personal data it holds is processed in accordance with the DPA.
Following its investigation into this matter; the ICO had particular concerns about ABHB’s internal practices and the undertaking also includes measures to deal with these, including implementing:
- new checks across the organization to ensure that a patients’ identities are established before any documentation containing personal data is issued;
- the provision of training for staff;
- putting in place and maintaining appropriate IT and other security measures; and
- regular monitoring of compliance with the DPA.
This decision comes shortly after the ICO indicated that it would be focusing on, amongst others, the health sector in respect of responses to subject access requests. It has highlighted that notice should be taken of this decision by those operating within the health sector and stated that it is vital that the health service ensures that it has appropriate DPA compliance procedures in place.
The Information Rights Strategy that was published by the ICO at the end of 2011 made clear that it would be taking a robust approach to DPA compliance over the coming year. This decision, reflects that approach and should be seriously considered by those organizations and employers operating within the health sector.
Future enforcement action by the ICO is likely to be significant, particularly in view of the European Commission’s proposals for reforming the approach to data protection across the European Economic Area.
Tips for organizations
- Ensure that all your employees are trained on handling personal data particularly those who process it on a day to day basis.
- Consider carrying out a data protection audit to establish the level of compliance with the DPA within your organization and, if necessary, to decide how this can be improved.
- Ensure that you actively promote, implement and monitor compliance – it is not enough to have written policies in place if they are not enforced.