Bitter pill for the NHS
The Information Commissioner's Office is proposing to issue its biggest ever fine to the Brighton and Sussex University Hospital Trust after patient records were sold on E-Bay. But does the punishment fit the crime?
The ICO can issue fines of up to £500,000 and the biggest it has issued to date was £130,000 against Powys County Council which inadvertently included pages from a confidential child protection report within a document sent to a member of the public. The ICO is now proposing a fine almost three times that, £375,000, for the data breach suffered by the Brighton and Sussex hospital.
However, the hospital administrators plan to appeal, saying that far from being the culprits, they are the victims of a crime. They were aware of their responsibilities under the Data Protection Act and commissioned a registered contracter who specialised in the secure destruction of data drives to safely dispose of the data. However, the contracter instead tried to sell the drives on E-Bay. A hospital spokesman told the BBC "As soon as we were alerted to this we informed the police and with their help we recovered all the hard drives stolen by this individual. We are confident that there is a very low risk of any of the data from them having passed into the public domain."
Do you think this fine is justified? Do you think the hospital was negligent in the way it handled the matter? At a time when the economy is creaking and the NHS is under strain, how does this headline grabbing record fine really help anyone?
27th January 2012