The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has issued a £225,000 fine to the Belfast Health and Social Care Trust for breaches of the Data Protection Act. The Trust was fined after staff and patient records including sensitive personal data, which had been left at an abandoned hospital property, were photographed and posted on the Internet several times. The records included scans, X-rays, medical records and payslips, and had been left at a hospital property after it closed in 2006.
The ICO said in a statement that the Trust should have taken reasonable steps to prevent the breach, including conducting a full inspection of the property (which had not occurred), making an inventory of the records at the property and maintaining appropriate security to prevent access. In addition, the Trust had kept the records for a period of time that was much longer than the Trust’s own policies dictated.
The fine is the second largest ever issued by the ICO for a Data Protection Act breach.