NHS Trust Given £325k Penalty

In January this year I blogged about reports that the Information Commissioner (IC) had sent a notice of intent to serve a civil monetary penalty notice (CMP) of £375,000 on Brighton and Sussex University Hospitals NHS Trust. At the time I said

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

Well, it has been served, today. And though the amount has been slightly reduced – £325,000 – it is still by some way the largest CMP ever imposed by the IC. However, this case may be important for other reasons.

Firstly, it related to disposal of hardware containing sensitive personal data. As the IC’s press release says

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences

The IC has been running an “unscrubbed hard drives initiative” following a reported security breach in 2009 involving the sale of un-scrubbed hard drives on the internet containing personal data, and internal meeting minutes from January indicated that this initiative was nearing completion. It would not be surprising if some formal guidance on the subject was now issued.

Secondly, and more broadly, it is interesting and worrying to note the fact that a fundamental role in this data breach was played by a contractor appointed to securely destroy the hard drives. As a data processor (rather than the data controller) this contractor was not liable under the Data Protection Act 1998 (DPA) for any serious breaches: this is why the Trust takes the hit. However, the contractor in question was the Department of Health-accredited Sussex Health Informatics Service (SHIS). SHIS appears to have sub-contracted the work to “Company A” which in turn sub-contracted to a one-person “Company B”. This individual subsequently sold 232 hard drives on the internet auction site.

The contractual, and sub-contractual confusion appears to have been key: the Trust did not even know that the individual had been appointed, and did not know that he had been attending their offices, ostensibly to remove and securely destroy the drives. Data controllers need to be acutely aware of what is happening to the personal data they control, and this obligation cannot be overlooked when they feel the data, or the hardware containing it, has become obsolete.

The fact that SHIS was so involved is particularly worrying. Health Informatics Services are expected to be in the vanguard of data security in the NHS. They say

Keeping data safe and confidential is a core duty for health service providers – and a core THIS service. Our award-winning Confidentiality and IM&T Security service helps customers to fully comply with national and local standards.

Under current law the IC’s powers to take action against a data processor are limited. That may change when the European Data Protection Regulation is ultimately enacted. One would hope, however, that SHIS, and the Department of Health, are looking very closely at their own compliance and security.

UPDATE: 15:15

The Trust has now issued a statement, which to an extent attempts to deflect responsibility on to the contractor. Duncan Selbie, the Chief Executive has said

We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay

The Information Commissioner has ignored our extensive representations.  It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would “prejudice the monetary penalty process”

He goes on to say

We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal

If this transpires, it will be the second recent instance of an appeal of a CMP by an NHS body.

The Independent reports the Trust also saying

the fine would pay for the delivery of 300 babies, 50 hip operations, 30 heart bypasses and 360 chemotherapy treatments

This rather confirms what I predicted in January

the IC might be faced with headlines equating (for example) [an NHS CMP] to the amount it costs to employ a nurse, or a doctor or provide essential but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances

Perhaps this strategy will be revealed during any subsequent appeal proceedings.