ICO issues first NHS data protection fine

£70,000 fine comes one week after Computing criticism

Just a week after Computing questioned the willingness of the Information Commissioner's Office (ICO) to levy fines against negligent organisations in the NHS, the ICO has imposed a £70,000 fine against the Aneurin Bevan Local Health Board in Pontypool, South Wales.

The fine was levied following a number of errors that resulted in a report containing sensitive, personal information being sent to the wrong patient. Following an on-site investigation, the ICO concluded that both the consultant and the secretary involved had not received the appropriate training on data protection.

It also found that similar poor practice was rife throughout the Trust and that it had failed to put in place the appropriate processes to make sure that personal information was sent to the right people.

As part of the settlement with the ICO, the Trust has committed to improving training for staff in protecting patients' personal data, as well as introducing processes in a bid to prevent a re-occurrence.

Although it is the first fine to be levied against an NHS organisation, Brighton and Sussex University Hospitals NHS Trust is facing a heftier fine of £375,000 after a batch of hard-disk drives that were supposed to have been destroyed by a contactor were, instead, sold on auction website eBay.

That incident occurred in September 2010, but the Trust is contesting the fine.

• A full interview with the ICO will appear in the next print issue of Computing.