In April the UK Information Commissioner's Office (the "ICO") issued its first fine to a National Health Service ("NHS") body for serious breaches of the Data Protection Act 1998 (the "DPA"). 

In June, the ICO has issued monetary penalties to a further two NHS bodies for serious breaches of the DPA, including the highest fine it has issued since it was granted the power to impose Civil Monetary Penalties in April 2010.

Brighton and Sussex University Hospitals NHS Trust has been fined £325,000 following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff on hard drives sold on an internet auction site in 2010. 

The breach appears to have occurred when an individual engaged by the trust's IT service provider was tasked with destroying hard drives held at one of the trust's hospitals.  The trust is disputing the ICO's findings and will appeal the decision.

Belfast Health and Social Care Trust has been fined £225,000 after sensitive personal data of thousands of patients and staff was found in a disused hospital site. 

Trespassers had gained access to the site, taken photos of patient records and posted them online.

The ICO has the power to fine organizations up to £500,000 for serious breaches of the DPA. 

Both fines illustrate the sensitivity of personal data handled by health organizations and the ongoing obligations of data controllers under the DPA.

• ICO's press release relating to Brighton and Sussex University Hospitals NHS Trust
• ICO's press release relating to Belfast Health and Social Care Trust