Brighton & Sussex University Hospitals are appealing the decision of the Information Commissioner's Office (ICO) to impose a monetary penalty of £325,000 on them on 1 June 2012, following a serious breach of the UK Data Protection Act of 1998.
The breach involved highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients - on hard drives sold on an internet auction site in 2010. The data included details of patients' medical conditions and treatment, disability living allowance forms and children's reports, among others.
© 2013 Cecile Park Publishing Ltd. All rights reserved
Duncan Selbie, Chief Executive of Brighton and Sussex University Hospitals, said: ''We dispute the Information Commissioner's findings, especially that we were reckless, a requirement for any fine. We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the Information Commissioner's Office, who told me last summer that this was not a case worthy of a fine''.
In a press release dated 1 June 2012, the ICO stated that the breach occurred when an individual engaged by the Trust's IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1,000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an internet auction site in December 2010, who had purchased them from the individual.
'Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an internet auction site', read the ICO communication. 'An examination of the drives established that they contained data which belonged to the Trust.'
''The ICO has ignored our extensive representations'', said Selbie. ''It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would 'prejudice the monetary penalty process'. In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.'
An ICO spokesperson told DataGuidance: ''On background, when the ICO is minded to issue an organisation with a Civil Monetary Penalty, the organisation is informed and is invited to submit representations to the ICO. Within its representations, an organisation can challenge both the status and amount of the monetary penalty. The Trust did submit representations to the ICO and they have been taken into account when reaching our final decision.''