PERFORMANCE: A south coast hospital trust is to appeal against a decision to fine it £325,000 for a serious breach of the Data protection Act.
The fine handed to Brighton and Sussex University Hospitals Trust for the loss of hundreds of hard drives is the highest issued so far by the Information Commissioner’s Office.
It follows the discovery of personal data belonging to thousands of patients and staff – including some relating to HIV status and criminal convictions – on hard drives sold on the internet auction site eBay in autumn 2010.
The ICO said the data breach occurred when a sub-contractor of the trust’s IT service provider, Sussex Health Informatics Service, was asked to destroy around 1,000 hard drives held in a room accessed by key code in September and October 2010.
The ICO said “the trust has been unable to explain how the individual removed at least 252 of the approximate 1,000 hard drives they were supposed to destroy from the hospital during their five days on site”.
A data recovery company bought four of the drives from the sub-contractor in December that year. The ICO was told in April 2011 that a university student had purchased further hard drives found to contain data belonging to the trust.
David Smith, the ICO’s deputy commissioner and director of data protection, said the size of the fine reflected the “gravity and scale” of the data breach and that it “sets an example” about the importance of keeping personal information secure.
“In this case, the trust failed significantly in its duty to its patients, and also to its staff,” he said.
But Brighton and Sussex University Hospitals chief executive Duncan Selbie said the trust disputed the findings and would be appealing to the Informational Tribunal, which hears appeals from notices issued by the ICO.
“We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay,” he said. “No sensitive data has therefore entered the public domain.”
Mr Selbie added that the ICO had told him “last summer that this was not a case worthy of a fine”.
“In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal,” he said.
The ICO acknowledged that the trust had committed to providing a secure central store for hard drives and other media in future and was reviewing its process for vetting potential IT suppliers.
1 June 2012