The Nursing and Midwifery Council has been fined £150,000 by the Information Commissioner's Office for losing three DVDs which contained evidence relating to a disciplinary investigation.
Since 6 April 2010 the Information Commissioner's Office (ICO) has had the power to issue monetary penalties of up to £500,000 for serious breaches of the Data Protection Act 1998 (DPA). The ICO only issues a monetary penalty in the most serious cases, but it is using its relatively new power with increasing frequency.
All organisations which handle personal data must do so lawfully, in accordance with the eight data protection principles set out in the DPA. These include taking:
"Appropriate technical and organisational measures. against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." (Principle 7)
What amounts to an "appropriate" measure depends on various factors including the cost of implementing any measures, the harm that may result from any loss etc. of the relevant data and the nature of the information to be protected.
The Nursing and Midwifery Council (NMC) is the regulatory body for nurses and midwives in the UK. Part of its remit is to carry out fitness to practise investigations when allegations of misconduct are made against these professionals.
Three DVDs containing witness interviews which contained confidential and highly sensitive information about alleged offences were lost while being couriered to the location at which a fitness to practise hearing was to be held. The data on the discs was not encrypted. Despite extensive searches the DVDs were never found. However, there was no indication that the data had been accessed or disseminated further.
The ICO was critical of the fact that the NMC had failed to take any measures, such as encryption, against accidental loss given the harm that may have resulted from such loss and the nature of the data. In particular, two of the affected individuals in this case were vulnerable children and there was potential for substantial distress to be caused if the sensitive personal data was disclosed to a recipient with no right to see it.
In the NMC's favour was the fact that it had voluntarily reported the breach to the ICO and co-operated fully, had carried out a thorough investigation, had made extensive searches to locate the missing DVDs and had subsequently taken remedial action internally.
Despite this, the ICO imposed a penalty of £150,000, to be reduced by 20 per cent if paid within one month.
Employers and professional organisations need to ensure they are complying with the DPA and in particular the seventh data protection principle in respect of information relating to disciplinary investigations and hearings. In the cases involving serious allegations the relevant data is likely to be highly sensitive so the risk of harm from accidental loss or disclosure could be high. Whenever data is being sent off site protective measures should be considered.
The Commissioner has published guidance on the use of portable devices and removable media. In its view such devices should be encrypted and failure to do so is likely to lead to enforcement action if equipment and data are subsequently lost or misused. Taking the relatively cheap and simple step of encrypting data could protect organisations against incurring similar fines.
ICO monetary penalty notices
How can we help?
If you would like to discuss what you need to do in order to comply with the Act, please contact firstname.lastname@example.org or a member of our data protection team.