Washington Health Care Update
Rod Lambert and Nicola Birney
June 29, 2012
In April the UK Information Commissioner's Office (the "ICO") issued its first fine to a National Health Service ("NHS") body for serious breaches of the Data Protection Act 1998 (the "DPA").
In June, the ICO has issued monetary penalties to a further two NHS bodies for serious breaches of the DPA, including the highest fine it has issued since it was granted the power to impose Civil Monetary Penalties in April 2010.
Brighton and Sussex University Hospitals NHS Trust has been fined £325,000 following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff on hard drives sold on an internet auction site in 2010.
The breach appears to have occurred when an individual engaged by the trust's IT service provider was tasked with destroying hard drives held at one of the trust's hospitals. The trust is disputing the ICO's findings and will appeal the decision.
Belfast Health and Social Care Trust has been fined £225,000 after sensitive personal data of thousands of patients and staff was found in a disused hospital site.
Trespassers had gained access to the site, taken photos of patient records and posted them online.
The ICO has the power to fine organizations up to £500,000 for serious breaches of the DPA.
Both fines illustrate the sensitivity of personal data handled by health organizations and the ongoing obligations of data controllers under the DPA.
- ICO's press release relating to Brighton and Sussex University Hospitals NHS Trust
- ICO's press release relating to Belfast Health and Social Care Trust
|Fulbright & Jaworski L.L.P. Washington's Health Care Group|
|Cori Annapolen Goldberg
202 662 0436
202 662 0278
202 662 4503
202 662 0247
202 662 0306
202 662 4534
|Megan Fanale Engel*
202 662 4733
202 662 4688
202 662 4605
202 662 4536
|*Ms. Engel is admitted to practice only in Virginia. Practice
supervised by principals of the firm admitted in the District of Columbia