NHS trust faces massive ICO monetary penalty after hard drives sold on eBay

January 11, 2012

Brighton and Sussex University Hospitals (BSUH) looks set to become the first NHS trust to be hit with a monetary penalty for breaching data protection laws, after it revealed that the Information Commissioner’s Office was proposing a £375,000 fine.

The trust’s chief executive, Duncan Selbie, confirmed that BSUH would be challenging the proposed fine, which was set out by the watchdog in an initial notice of intent.

The suggested monetary penalty relates to an incident involving the decommissioning of 1,000 hard drives.

According to local newspaper The Argus, an investigation revealed that 232 hard drives containing confidential information on patients and staff had been taken from a locked store at Brighton General Hospital and sold on eBay. The issue came to light after a buyer of four of the drives contacted the trust in December 2010.

Under the ICO’s procedures, the authority is able to submit representations on both the imposition of the monetary penalty and its amount. The watchdog will consider these responses and then decide whether to issue a final penalty notice.

If implemented at that level, the fine would dwarf those imposed so far on local authorities. The current record is £130,000, handed down to Powys County Council last month after the details of a child protection case were sent to the wrong recipient.

BSUH’s Selbie said: “We were the victims of a crime. We subcontracted the destruction of these hard drives to a registered contractor who subsequently sold them on eBay. As soon as we were alerted to this we informed the police and with their help we recovered all the hard drives stolen by this individual.”

Selbie said the trust was confident that there was a very low risk of any of the data from the hard drives having passed into the public domain.

“We have subsequently received a Notice from the Information Commissioner’s Office proposing a fine of £375,000 which we are, in the circumstances, challenging,” he added.

A spokesman for the ICO said the watchdog was currently making enquiries into a possible breach of the Data Protection Act and was unable to speculate on what action would be taken at this time.

Philip Hoult

On Local Government Law TV:

Introduction to the Data Protection Act by Blake Lapthorn

Trends and Developments in Information Law by Graeme Smith, Deputy Information Commissioner