NHS trust instructs lawyers to challenge £90k fine levied by ICO for data breach

A London NHS trust is to become the first organisation to challenge a fine imposed by the Information Commissioner's Office for a breach of the Data Protection Act.

The ICO announced today that it had imposed a £90,000 fine on the Central London Community Healthcare (CLCH) NHS Trust for what it described as a "serious breach".

But a spokeswoman for the trust said it deeply regretted that the watchdog had decided to impose a fine. 

She said: "We have instructed our lawyers to commence an appeal against this. We consider that the Commissioner has acted incorrectly as a matter of law and so we have no alternative but to bring an appeal."

The ICO imposed the levy – the second time a fine has been handed to an NHS body – after a number of faxes were sent to the wrong recipient between March and June 2011.

The intention had been to send patient lists from the Pembridge Palliative Care Unit to St John’s Hospice, which had verbally requested that the lists be sent to a second fax number in addition to the agreed fax number. This was to ensure that service provision remained unaffected during the leave of absence of one of the out of hours doctors.

The wrongful recipient, a member of the public, told CLCH in June 2011 that they had been receiving the lists but had shredded them.

Around 45 faxes in total had been sent over a three-month period, a subsequent ICO investigation found. There had been a misunderstanding between the hospice and CLCH when the relevant fax protocol had been used.

According to the watchdog, the lists “contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions”.

The ICO concluded that CLCH, which reported the incident, did not have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient.

It also found that the trust had failed to provide sufficient data protection guidance and training to the member of staff concerned.

The administrator had not been specifically trained to obtain management approval and to vary the fax protocol in this situation.

In addition, CLCH had not given any consideration to a possible alternative to the use of fax transmission such as secure email.

The watchdog acknowledged that the NHS trust had now taken “substantial remedial action which includes not sending inpatient lists by fax to the Hospice, carrying out a detailed internal investigation into the security breach and considering the use of more secure means available for sending confidential and sensitive personal data such as email”.

The £90,000 penalty levied on CLCH is higher than the first fine, which was handed out to the Aneurin Bevan Health Board in April.

Stephen Eckersley, the ICO’s Head of Enforcement, said: “Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying.”

In addition to announcing plans for an appeal, the spokeswoman for CLCH said: “CLCH looks after around 150,000 new patients every year so protecting patient confidentiality is one of our top priorities. It is hugely regrettable that this incident, which was down to human error, happened and we have apologised to all the individuals and families who were affected by this mistake.

“We have conducted our own internal investigation and taken a number of actions to reduce the risk of such an incident happening again including the phasing out of the use of faxes in favour of more secure email and phone systems. We also reported ourselves to the Information Commissioner and fully co-operated with his investigation.”

The spokeswoman added that in its recent annual submission on information governance the trust confirmed it achieved or exceeded the minimum thresholds across all 45 standards including 98.5% of its staff completing information governance training in the last year.