As the Information Commissioner’s Office (ICO) issues yet another fine on an NHS organisation I can’t help but think that cash, in an area where public spending is already under pressure, could be much better spent!
Last week Blackpool Teaching Hospitals NHS Foundation Trust was fined £185,000 for inadvertently published workers’ confidential data. This week Chelsea and Westminster Hospital NHS Foundation Trust have been fined £180,000 for revealing email addresses of more than 700 users of an HIV service (take care with blind CC-ing!). These are both heavy fines considering the cap for the ICOs enforcement powers is £500k.
NHS organisation, like all organisations whether the private, public or third sectors, have had (or should have had) data protection issues well and truly on their radar and the scale of these recent fines shows that those holding personal data need to ensure that they get their policies and process right. This includes appropriate staff training and IT security, as well as avoiding making these sort of breaches in any event (easier said than done it seems).
Taking appropriate steps will impact on how dimly the ICO view any breaches an organisation makes. In the Blackpool case, the Trust failed to notice their mistake for 10 months and then took a further five months to alert affected staff. In Chelsea and Westminster, the Trust made a quick apology and have now put their house in order, the seriousness of the breach and the Trust’s previous conduct impacted on the level of fine levied by the ICO.
While these are yet another entry in the long list of data protection failures involving NHS Trusts, the principles apply across all sectors whether public, private or third sectors. Wherever your organisation operates you need to comply.
In other data protection news, the General Data Protection Regulation has now been published in the Official Journal as Regulation (EU) 2016/679 (catchy!). While making various changes to how data protection laws will work, the Regulation is also looking to increase sanctions up to €20mil or 4% annual worldwide turnover.
Given these changes, if an organisation is currently behind the curve on their data protection obligations, or does not adapt to the new regime under the Regulation starting in two years’ time, these recent fines may look like the lower level!
The thing to do now is to look over the extensive, easily accessible, resources on the ICOs website which cover the current regime as well as the Regulation, and, if you still think your organisation might have issues, drop us a line at Berwins to see if we can help you.