To fine or not to fine: The ICO and the NHS

By Graeme Burton
27 Apr 2012 View Comments

The reason why so many cases come to light in the NHS, he suggested, is because for most organisations, reporting a breach of the Data Protection Act is not a legal requirement. However, in the NHS it is a "management instruction" to report all data breaches - both of computerised data and physical data, such as paper records - to the ICO.

Further reading

That then sets in train what is, by now, a well-practised investigatory process. First, the ICO conducts a preliminary assessment as to whether the reported breach can be categorised as a "serious breach" that carries substantial risk of damage and distress, said Smith.

If so, a full investigation is instigated. This involves site visits and interviews with staff. "What we are looking for is not just an unencrypted memory stick that was lost, it's what sits behind that in terms of a failure by the organisation to have proper arrangements in place to protect the data," said Smith.

He added: "If the organisation can show us that they have got a very clear policy that states that all portable media must be encrypted and that they brought that to the attention of their staff; that there's been training and they can point you to an individual who has knowingly broken the rules against whom they have taken disciplinary action. Then, we probably wouldn't proceed to a monetary penalty if they can show that they have taken reasonable steps," said Smith.

In the case of South London Healthcare NHS Trust - an organisation formed from the merger of two near-bankrupt neighbouring NHS Trusts - the ICO was satisfied that the losses were fairly isolated incidents and contrary to the Trust's established processes. Instead of serving an enforcement notice under section 40 of the Act, which would have enabled the ICO to levy a fine, the chief executive of the Trust signed an undertaking to:

  • Ensure the use of encryption when personal data is stored on a portable device or transmitted;
  • Ensure that the Trust's policies on the storage and use of personal data are followed by staff;
  • Make staff aware of the responsibility of "data controllers" with regard to the retention, storage and use of personal data, and training them accordingly.

What is perhaps intriguing, is the neutrality of the ICO on the subject of downloading personal data from organisational systems in the first place. Instead of eschewing this practice, the recommendation is that it ought to be encrypted on the device.

But most security experts would state that a member of staff should not be allowed to download sensitive, personal data just because they want to work on it at home.

Smith apparently disagrees, instead feeling the data is free to be taken anywhere, as long as it is encrypted.

"Sensibly run organisations will have a rule that no personal data should be put onto portable media, like memory sticks, unless there's a proper system of encryption in place."

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

37 %
27 %
15 %
21 %