No sooner have we reported about another NHS Trust fined by the Information Commissioner’s Office – the UK’s data protection regulator – for a data breach, we can now bring news of yet another large fine. This time, it was the turn of Torbay Care Trust to receive a £175,000 fine for a serious breach of the Data Protection Act, it was likely to cause substantial damage or distress and the data controller should have known but failed to take reasonable steps. In this case, confidential and sensitive personal data relating to 1,400 employees were published on the Trust’s website. The data included that which could be used for identity theft, as well as sensitive personal data such as disabled status, ethnicity, religious belief and sexual orientation. There was a lack of process to protect the data and more data was supplied and used for wider purposes than should have been the case.
The Trust took remedial action and co-operated, but this still did not satisfy the ICO. Other factors in favour of lenient treatment included no previous similar security breaches by the Trust, no complaints received from data subjects and payment falling on the public purse. However, the ICO also took on board aggravating features, which were that the data had been on the site for 19 weeks, a large number of employees being affected, identity fraud could occur, there was negligent behaviour in failing to take appropriate organisational measures against unauthorised data processing, and the Trust having sufficient financial resources to pay a monetary penalty.
Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “Most tellingly, in issuing another large fine on yet another NHS Trust, the ICO noted that the underlying objective in imposing a monetary penalty is to promote compliance with the Act. It said that there was an opportunity to reinforce the need for data controllers to ensure appropriate and effective security measures In other words, it was keen to make another example by imposing a hefty fine again on an organisation that stepped out of line with its data protection obligations.”