Charity hits out at ICO fine for data breach and reserves right to appeal
The first charity to be fined by the Information Commissioner’s Office for a breach of data protection laws has hit out at the £70,000 penalty as “disproportionate” and reserved the right to appeal the amount.
The ICO imposed the monetary penalty on Norwood Ravenswood after information about the care of four young children was left outside the London home of their prospective adoptive parents one evening in December 2011.
The package of papers – including details of any neglect and abuse suffered by the children as well as information on their birth families – was never recovered.
The ICO claimed that the incident was “entirely avoidable” and said the fine should act as a warning to all charities to fulfil their obligations under the Data Protection Act.
But Elaine Kerr, Norwood’s chief executive, said: “Norwood has always taken the issue of data protection extremely seriously and deeply regrets what was an isolated breach within our Adoption Service. It is clear however, that the fine of £70,000 is disproportionate and we have reserved our right to appeal the amount on these grounds.”
The charity’s chief executive insisted that, contrary to the press release issued by the ICO, the incident did not occur due to inadequate training, “but was an obvious lapse in judgement by one individual employed by Norwood”.
She added: “It is clear that the incident was in no way a reflection of our practice, policies or guidelines, but rather an act of human error.”
Kerr also pointed out that Norwood had reported itself voluntarily to the watchdog when it discovered the breach and took immediate measures to tighten its data protection procedures further.
“Norwood co-operated fully throughout the ICO’s investigation and appropriate action has been taken against the member of staff concerned,” Kerr said.
“Most importantly, no harm was actually caused to any party involved in the breach. We should also state that this is the only incident of its kind at the charity during its 200 years of operation.”
She added: “The public can remain confident that Norwood will continue to provide world-class services to the people who need it most, with absolute integrity and commitment to protect the privacy and confidentiality of the people we support.”
There has yet to be a tribunal hearing on the imposition by the ICO of a monetary penalty or the level of any such fine.
However, in December a tribunal will hear Central London Community Healthcare NHS Trust’s appeal over a £90,000 fine imposed after data was faxed to the wrong recipient.
The information about patient lists was intended for a hospice, but was sent to a member of the public on dozens of occasions over a three-month period.
Philip Hoult