Tag: dpa

HIV records from NHS trust accidentally sold on the web

The Information Commissioner’s Office has come down hard on the Brighton and Sussex University Hospitals NHS Trust.

The watchdog has slapped the trust with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA).

And security experts have said they are not surprised at the fine, which is the highest the ICO has issued since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff, which was found on hard drives sold on an internet auction site in October and November 2010.

The ICO said some of the information was also related to HIV and Genito Urinary Medicine (GUM) patients as well as details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details such as National Insurance numbers, home addresses, ward and hospital IDs, as well as information referring to criminal convictions and suspected offences.

According to the ICO the data breach occurred when an individual was given the task of destroying the 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010.

However, a data recovery company bought four hard drives from a seller on an internet auction site in December 2010, who had purchased them from the individual.

The ICO at the time was appeased with claims that these were the only four rogue disks. However, in April 2011 it was contacted by staff at a university, which advised them that one of their students had purchased hard drives via an internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The ICO said the trust had been unable to explain how the individual removed at least 252 of the approximate 1,000 hard drives they were supposed to destroy from the hospital during their five days on site.

It said they were not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital was publicly accessible.

Security and communications expert Chris McIntosh, CEO of ViaSat UK, told TechEye that the fine wasn’t a surprise.

“While previously focused against local government, the ICO’s penalty powers have come more and more to bear on the NHS in recent months,” McIntosh said.  “This isn’t too surprising: as one of the largest handlers of personal data in the UK, and given the sensitivity of much of that data, the NHS has had many more opportunities for such a catastrophic breach to occur.”

“At the same time,” McIntosh said, “a recent FOI request showed that the NHS was the most reported organisation in terms of lost data and hardware at 40 out of 108 cases nationwide in 2011 / 2012 and, more damningly, insecure disposal of data, responsible for more than twice as many cases as the entire private sector.” 

“With these statistics, a penalty of this magnitude was inevitable,” McIntosh continued. “Organisations need to learn from this and all of the ICO’s penalties: data must be encrypted and correctly destroyed, hardware must be kept under lock and key and contractors must be thoroughly vetted to ensure that standards are met.”

Last month the ICO issued a London Community Healthcare trust with a fine of £90,000 after it found it in serious breach of the Data Protection Act.

NHS Trust faxed patient data to the wrong number for three months

A London Community Healthcare trust has been slapped with a fine of £90,000 after the Information Commissioner’s Office found it in serious breach of the Data Protection Act.

The watchdog, which had its website hacked last week amid accusations that it didn’t protect citizen’s privacy enough,  first became aware of the NHS Trust’s wrong doings back in March 2011.

This was after after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient.

The patient lists were said to contain sensitive personal data relating to 59 individuals. This including medical diagnoses and information relating to their domestic situations and resuscitation instructions.

The individual informed the Trust in June that they had been receiving the patient lists, which consisted of around 45 faxes over a three month period. However, they claimed that to protect privacy, they had shredded them.

The ICO conducted an investigation that found the trust had failed to have sufficient checks in place to ensure sensitive information sent by fax was delivered to the correct recipient. It also barked at the trust for failing to provide robust data protection guidance, and training to the members of staff that had accidentally sent the faxes.  

Stephen Eckersley, the ICO’s Head of Enforcement, said that the fact that this information was sent to the wrong recipient for three months without anyone noticing made the case “all the more worrying”.   

ICO warns politicians on pre-referendum data breaches

The Information Commissioner’s Office (ICO) has issued a stark warning to political parties.

It wants them, along with campaigners, to respect data protection laws when it comes to lobbying for the upcoming UK referendum and local and national elections.

The UK-wide referendum on the UK voting system will take place on 5 May to coincide with local elections in England and Northern Ireland.

Elections to the Scottish Parliament, the Welsh Assembly and the Northern Ireland Assembly will also take place the same day.

However, the watchdog is concerned that over zealous campaigners and party members could breach data laws when it comes to sending out  direct mail, emails, text messages, phone canvassing and automated phone calls.

It also wants campaigners to learn where they need consent when it comes to form filling and sharing of details.

In the past, parties have fallen foul of the ICO for going against its guidelines. Those named and shamed include the Conservatives, Labour, the Liberal Democrats and the Scottish National Party (SNP) for breaching the Privacy and Electronic Communications Regulations after marketing individuals without their consent.

Information Commissioner, Christopher Graham, said although parties want the vote it doesn’t mean they could forget their legal responsibilities to respect privacy rights.

The watchdog has now produced guidance for campaigners explaining how they can ensure that they are complying with the Data Protection Act as well as the accompanying Privacy and Electronic Communications Regulations.

ICO warns Digital Protection Act must be clearer

There is a lack of clarity surrounding the Data Protection Act (DPA) the Information Commissioner’s Office (ICO) has said. It now wants to update the DPA to eliminate confusion and give everyone a clearer definition of ‘personal data,’ which it says is currently inadequate.

“The law must be clearer on when consent is required to use personal information and adopt a more pragmatic approach to the regulation of international data flows,” the watchdog said in a statement.

“The allocation of responsibilities amongst those handling personal data also needs to reflect he changing nature of modern day business relationships.”

The response follows the Ministry of Justice asking businesses, regulators and individuals for their views on the UK’s data protection framework. This was to help it negotiate with the European Commission as it reviews EU-wide data protection law.

The European Commission has been banging on about tighter data protection in the UK for a while now, saying it needs to ensure it measures up to EU standards. 

In June the EC said the current protection rules in the UK were insufficient, and that the ICO lacked a number of key powers. Such as being unable to monitor whether other countries’ data protection is adequate in case of cross-over businesses, performing random spot checks on people using or processing personal data and enforcing penalties following the checks.

The consultation, which closed yesterday has spurred the ICO to list a range of improvements that it would like to see in a revised framework.

It is after greater clarity on when consent is required to use personal information as well as improved coordination with freedom of information.

The ICO also told the government that the DPA must be altered to address changes in the way that personal data is collected and used. It said this was because increasing use of online services means that organisations collect new data that the law is unclear about, such as IP addresses.

It also wants to see a better approach to the regulation of international data flows.

“This is one of the aspects of the EU Directive that most needs to be amended to deal more realistically with current and future international data-flows. A future framework should focus much more on risk assessment by the exporting data controller and should be clearer about data controllers’ responsibility, wherever they choose to process personal data,” the document said.

Individuals who knowingly break the DPA have also come under fire. The ICO says that ultimately it wants to see them banged up.

“The Information Commissioner considers that the trade in personal information justifies the possibility of a custodial sentence for the most serious offences,” it said.