At Best Practice Group, one of our greatest frustrations is seeing major service provider relationships erode in a very public manner, when better management could not only have prevented such an outcome, but served to benefit both parties and led to a healthy long term relationship.
That is why today I want to explore a recent incident in which Brighton and Sussex University Hospitals NHS Trust was charged with an enormous £325,000 penalty, following a serious breach of the 1998 Data Protection Act. It is believed that the fine is the highest issued by the Information Commissioner’s Office (ICO) for a data breach – a breach which could have been avoided.
It is understood that the breach of the data held occurred when the IT Service Provider contracted by the Trust, Sussex Health Informatics Service (HIS), was instructed to destroy around 1,000 hard drives containing extremely sensitive data belonging to patients and staff. The breach was discovered when a data recovery company bought a small number of the hard drives from an Internet auction site.
Data included information relating to Genito Urinary Medicine (GUM) patients, along with patients suffering from HIV. The hard drives also contained National Insurance numbers, personal addresses, ward and hospital IDs, suspected offences and criminal convictions, along with information relating to medical conditions, treatments, disability allowances and children’s reports.
The Trust attempted to mitigate its position by assuring the ICO that only the small number of hard drives purchased through this one incident were populated with sensitive data. However, a university subsequently contacted the ICO and claimed that one of its students had purchased hard drives at a different point in time. It was found that these too contained sensitive data.
When challenged by the ICO, the Trust was unable to identify how 25% of the hard drives that were supposed to be destroyed went missing.
David Smith, the ICO’s Deputy Commissioner and Director of Data Protection, said:
The amount of the [penalty] issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.
There is no doubt that the ICO have used this breach as an opportunity to lay down a marker for similar incidents in the future. Their zero tolerance approach to data protection will likely be welcomed by those potentially affected by such breaches.
From the ICO’s perspective, the ideal outcome from this incident would be an improvement in processes that leads to a prevention of similar occurrences in the future. The size of the monetary penalty is clearly intended to encourage such improvements to be actioned with haste.
Prevention – Service Provider Relationship Management
Whilst the Brighton and Sussex University Hospitals Trust has now committed to an ISO27001 accredited partner for dealing with the storage of hard drives, these breaches could have been avoided in the first instance.
There have been some recent court rulings that ensure specialist providers (such as HIS) have a ‘duty to warn‘ clients of their professional and legal obligations in the data protection arena. Moreover, as the expert provider, HIS should have ensured its own staff were following appropriate procedures by ensuring ‘spot checks’ and audits took place when instructions to dispose of the equipment were given by the Trust. It is well known by most IT providers that there are often large cases of theft in disposal situations, so policies and audit procedures for staff in these situations must be (and can be) watertight.
The key takeaway is this: partnering with an expert provider is alone not enough. The Trust should have been better educated as to the professional and legal obligations of their provider, which could have led to an avoidance of the extremely costly outcome. Such relationships thrive when there is a positive understanding on both sides of the fence, and it would appear that was not the case between the Trust and HIS.
Creative Commons image courtesy of Umberto Fistarol