The Information Commissioner’s Office – the UK’s data protection regulator – has been criticised by the chairman of a leading patient data protection body for handing out a succession of fines that have hit National Health Service bodies. Christopher Fincken of the UK Council of Caldicott Guardians, said the fines that have been issued for serious breaches of data protection laws come straight out of patient care funding. Caldicott Guardians are NHS staff who are responsible for ensuring that patient data is kept secure. Fincken was concerned that patient care (such as operations) would inevitably be cut to pay for the fines and there must be a fairer way to deal with the issues such as holding the relevant officers to account.
This year, the ICO has fined six NHS bodies a total of £950,000. It has the power to fine up to £500,000 for serious breaches of data protection laws. Earlier this year, the ICO gave its strategic decision to target health organisations. In one incident, Brighton and Sussex University Hospitals NHS Foundation Trust was fined £325,000 after sensitive personal data had ended up on eBay. In that case, the Trust had used a contractor supposedly to clean and destroy 1,000 computer hard drives containing highly sensitive personal data with tens of thousands of patients and staff with details of medical conditions including HIV cases, criminal convictions and personal contact details. The Trust was held liable for the actions of the contractor.
Paul Gershlick, a Partner and Head of Pharmaceuticals and Life Sciences at Matthew Arnold & Baldwin LLP, comments: “Strictly speaking, the ICO was within its rights to fine an organisation after a contractor had failed to do its data cleaning job properly. However, the criticism of the ICO is correct. The ICO’s emphasis should be on helping organisations to comply with the Act, rather than make easy pickings by fining health providers and more recently charities, who do a lot of good for society. Ultimately, fines to those organisations mean less care for those who need it. That cannot be right. There must be a better way to deal with data breaches by education and working together to improve standards.”