Tom Morrison returns with his quarterly review of the world of information law
Brighton and Sussex University Hospitals NHS Trust has been handed the largest civil monetary penalty issued so far under the Data Protection Act 1998 (DPA 1998). At £325,000, this substantial fine was issued following the theft of computer hard drives containing confidential information relating to thousands of patients and staff in September 2010. Highly sensitive personal data was found on hard drives sold on eBay two months later. The data included details of patients’ medical conditions and treatment, disability living allowance forms and reports on children. It also included documents containing staff details such as National Insurance numbers, home addresses and information referring to criminal convictions and suspected offences.
Source of the information breach
It seems that the source of the breach was an individual engaged by the trust’s IT services provider which was supposed to securely destroy approximately 1,000 hard drives held in a secure room at Brighton General Hospital. Four of those hard drives made their way onto eBay and were sold to a data recovery company.
