Rawlison Butler Commerce & Technology Partner Mark
O'Shea considers the impact of a recent ICO fine for data
protection breaches and suggests ways to minimise your risk.
A recent record fine of £325,000 imposed by the
Information Commissioner's Office (ICO) on a Brighton NHS
Trust for data protection breaches has again brought the subject of
data theft into sharp focus.
According to the BBC, highly sensitive personal data belonging to
patients and staff was taken from Brighton General Hospital in
2010. That data apparently included details of patients'
medical conditions and treatments, children's reports and
disability living allowance forms. It also included staff details
including National Insurance numbers, home addresses, hospital IDs
and information on criminal convictions.
Much of the data was 'sensitive personal data' as
defined by the 1998 Data Protection Act. In addition to the rules
applicable to 'personal data', that Act imposes more
stringent conditions for the processing of 'sensitive personal
data'.
Destruction of hard drives
The facts of the case were that an individual employed by
or engaged through a contractor to the Brighton and Sussex
University Hospitals NHS Trust was instructed to destroy around
1,000 computer hard drives. Although the worker was under general
supervision and had restricted access rights, it seems he somehow
managed to remove at least 250 hard drives from the hospital, 4 of
which were purchased by a data recovery company on eBay from a
seller who had, in turn, acquired them from the individual. The
Trust could not explain how the worker had been able to remove the
hard drives from the hospital.
According to the Trust, none of the personal data had entered the
public domain, and the Trust has said that it will appeal.
Lessons to be learned
The ICO is sending a clear signal to organisations that
they need to exercise great care with personal and sensitive
personal data. But what should you do to minimise the risk for your
business:
- Controlling access rights - obviously this depends on what data you hold, the purposes for which it is being processed and who within (and outside) of your organisation needs to have access to that data
- When the data is obsolete or no longer required (bearing in mind that data should not in any event be retained for longer than is necessary), physically remove that data from hard drives and back ups unless there is some legal, tax or other requirement to retain a copy of the data
- Use a specialist contractor to 'deep cleanse' the hard drives by removing all data from them before destruction or resale – ensure that you have a proper written contract with the contractor which includes an indemnity for any breach or failure by the contractor to properly perform its obligations and which requires a director or authorised officer of the contractor to certify the cleansing and/or destruction of the hard drives has occurred
- Only use secure carriers to remove items from your site to the place of cleansing or destruction
- If you use your own personnel and/or contract personnel to carry out the cleansing, adopt appropriate physical security measures.
- If a data security breach occurs, move as rapidly as possible to remedy the breach and to minimise the risk.
This document is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this document.