The Information Commissioner’s Office has handed out its biggest ever fine for breach of data protection laws: £325,000. The unlucky recipient of this record was Brighton and Sussex University Hospitals NHS Foundation Trust. This was some £200,000 higher than the previous largest fine by the UK’s data protection regulator. What was cause of the data breach? This was the Trust’s use of a contractor who had been supposed to clean and destroy 1,000 computer hard drives containing highly sensitive personal data with tens of thousands of patients and staff with details of medical conditions including HIV cases, criminal convictions and personal contact details. Some of the hard drives ended up on eBay. The Trust, which says that it cannot afford to pay, has announced that it is appealing the level of the fine. Not surprising!
Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “This decision should send shock waves amongst any organisation that does not get its old hardware cleaned properly. Most concerning is that ordinary organisations trust contractors to do the job properly for them. This case shows that this is not a defence. With data residing not just on servers in the office, but also on printers, smart phones and home computers, organisations are leaving themselves exposed and many have not even carried out a proper risk assessment. They should be concerned not just with the level of the fines that the ICO may hand out, but also who else may be reading commercially sensitive information about the business. There are ethical data destroyers who carry out their obligations to Ministry of Defence standards. But there are others who don’t. This is an issue that will only grow as more cases like this come to light.
“If you want to discuss this issue further with us and consider what you can do and who can help you, please contact me.”