Companies have been warned to expect much stiffer penalties for flouting data protection laws following reports that the data regulator is planning to fine a health authority a record £375,000 after patient records were stolen from a hospital and sold on eBay.
Brighton & Sussex University Hospitals NHS Trust said that hard drives containing patient data had been sold on the auction website by a contractor it employed to destroy them and an Information Commissioner’s Office spokeswoman confirmed the watchdog had proposed fining the Trust £375,000 over the incident.
The Trust has challenged the suggested penalty. “We were the victims of a crime,” Duncan Selbie, chief executive of the NHS Trust said in a statement. “We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay.”
The move comes hot on the heels of a £120,000 fine issued to Surrey County Council following three separate incidents of employees sending emails with files or attachments containing sensitive personal data to the wrong recipients. Meanwhile Powys County Council in Wales was fined £130,000 for sending details of a child protection case to the wrong recipient.
And, according to some observers it heralds a new tougher stance from the ICO.
Data protection laywer Tracey Dickens at Birkett Long said it shows the ICO’s “bite has teeth”. She added: “In the words of the ICO, ‘this case should act as a warning to others that lax data protection practices will not be tolerated’. If you are storing and processing personal data it is essential that you put in place suitable technical and organisational measures to prevent the information getting into the wrong hands. If a leak does occur, then you must quickly identify the exposure risks and ensure that it does not happen again.”
Earlier this month, the ICO warned businesses that they risk ruining their brand reputation – and with it their customer base – if they slash their data protection budget as if it were a “mere back office function”.
Related stories
ICO: ‘Don’t slash data budgets’