Deja-Vu & The NHS

Just over 12 months ago, The Brighton & Sussex NHS Trust was fined £325,000 by the ICO after computers containing patient records were found on sale on internet auction sites.  A few weeks later, the ICO issued Guidance on IT Security including it's expectations in relation to secure destruction of data and disposal of unwanted IT equipment.  So, has the NHS learned its lesson?

What Happened Last Time? 

The fine levied on Brighton & Sussex NHS Trust is the highest issued to date by the ICO and reflected the seriousness with which the ICO viewed the breach which compromised incredibly sensitive personal data including information relating to medical conditions, reports on children, national insurance numbers, home addresses and information relating to criminal convictions and suspected offences.  At the time, the ICO pronounced that it was applying the fine in order 'to set an example for all organisations - both public and private - of the importance of keeping personal information secure'.  The ICO went on to say that 'patients of the NHS in particular rely on the service to keep their sensitive personal details secure....[and] in this case, the Trust failed significantly in its duty to its patients, and also to its staff'.

What's Happened This Time? 

Fast forward 12 months and the ICO has fined neighbouring NHS Surrey for an almost identical breach - 3,000 patient and HR records found on a second hand computer bought on an internet auction site after a specialist data destruction company had been engaged to securely dispose of unwanted IT equipment.  After being contacted by a member of the public who had bought a computer containing the undeleted data, Surrey NHS went on to recover a further 39 computers which had been sold by its specialist data destruction service provider (some, but not all of which, contained sensitive personal data).

Why Should I Care? 

Fines, reputational damage, loss of trust, costs incurred in addressing the breach in an expedited manner and the inconvenience and expense of the regulator telling how to run aspects of your organisation in a publicly visible way and in the timeframe set by the regulator etc...... (I'm not being glib, but you've heard all this before from us)!  Perhaps the most concerning aspect in this case was NHS Surrey's failure to deal with the DPA basics - as we've bored you all with before, the data controller always remains responsible and liable for any failures of its data processors (so it doesn't matter that it was the specialist data destruction service provider that got it wrong, its NHS Surrey that breaches the DPA and incurs the wrath of the ICO).

The basics here were that:

  • NHS Surrey had engaged a data processor to securely destroy data on its behalf.
  • Destroying data may not immediately be seen as processing, but the DPA definition of processing is incredibly wide and confirms that destruction is a form of processing.
  • Whenever a data controller (e.g. NHS Surrey) engages a data processor (e.g. any third party that does something involving personal data on its behalf), the DPA mandates that the data controller has a legally binding written agreement in place with each and every data processor - in this case, there was no contract.
  • The contract must ensure that the data processor only processes the data controller's data in accordance with the data controller's instruction and the purpose specified by the data controller as well as any other conditions which are necessary to ensure that the data controller complies with the DPA and that it is protected (to some degree) in the event that the data processor does something which puts the data controller in breach of the DPA.

Given that the ICO and other privacy regulators are going back to basics to check organisational compliance with privacy laws (including appropriate privacy policies), its worth checking that everybody in your organisation understands the basics of the DPA:

  • What is personal data.
  • When is somebody processing personal data.
  • What are the requirements when a third party is appointed to process personal data (both under the DPA and from an organisational perspective).
  • What processes are in place to ensure that data processors do what they (and the contract, if there is one) says they should be doing and are these widely understood and followed in practice?

The Last Word

We've highlighted this instance for two reasons:

  • Firstly, it is alarming that an almost identical breach has occurred in another NHS organisation despite the relatively short space of time since the last one which received a huge amount of media attention (its also concerning for the NHS given the culture shift which is being ushered in across the NHS in terms of greater data sharing, which will heighten this risk for those NHS organisations which don't have adequate processes, policies and training in place to effectively address data-sharing risks).
  • Secondly, the 'back to basics' point is one that all organisations can learn from - in our experience, staff at all levels don't fully understand how wide the definitions of 'personal data' and 'processing' are in the DPA or how to comply with the DPA when a data processor is appointed - the enforcement action taken by the ICO reinforces the same point, basic training which is relevant to the roles which staff undertake is the key to driving a compliance culture within an organisation.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.