The Information Commissioner’s Office (ICO) yesterday handed out the first fine to an NHS organisation for a breach of the Data Protection Act 1998.
Whilst the ICO has previously fined a number of organisations for a breach of the Act, this first fine levied on the NHS reinforces the need for all health organisations to ensure compliance with the Data Protection Act or face enforcement.
Aneurin Bevan Health Board in Wales has been fined £70,000 after a medical report drafted by a Consultant was sent to the wrong person. The letter contained Sensitive Personal Data in relation to the health of an individual and was inadvertently sent to the wrong patient due to a misspelling of the surname which was not picked up. Upon investigation, the Information Commissioner noted that there were no robust systems to ensure that letters were sent to the correct patients, and accordingly determined that there had been a breach of the 7th Data Protection Principle.
The Monetary Penalty Notice clearly sets out the ICO’s intentions in relation to data security in the NHS and sounds a warning to future breaches of the Act across the NHS. The Notice states, “this is an opportunity to reinforce the need for Data Controllers in the NHS to review the handling of confidential and Sensitive Personal Data” and confirms that the fine was handed down “to ensure that appropriate and effective security measures are applied”.
NHS organisations should ensure that all systems in place for the management of patient data are robust and safeguard the confidentiality of patients. The Information Commissioner has signalled his intent in relation to fines and it is very likely that further fines of a similar nature will be levied by the Information Commissioner in the future. Given the volume of patient data held by the NHS, this fine demonstrates that enforcement under the Data Protection Act is a real risk.
Bevan Brittan has a dedicated information law team who can advise and assist in dealing with all aspects of the Data Protection Act. We have significant experience of advising NHS organisations in relation to breaches of the Data Protection Act to ensure appropriate systems and safeguards are put in place.