The Brighton and Sussex University Hospitals NHS Trust will appeal if fined £375,000 by ICO
An NHS trust has said it will appeal if it is instructed to pay a substantial fine that may be levied by the Information Commissioner’s Office (ICO).
In an initial letter of intent, the ICO has suggested a possible fine of £375,000; the highest penalty issued to date. The regulator claims that no final decision has been reached in the matter and that “The ICO is currently making enquiries into a possible breach of the Data Protection Act and is unable to speculate on what action will be taken at this time.”
First ever appeal
The Brighton and Sussex University Hospitals NHS Trust has no plans to comply, and unlike other institutions which hang their heads in shame and put on the dunce’s hat without complaint, it will appeal the fine. This would be the first time any organisation appealed against an ICO decision or penalty.
The trust believes that it should not be held responsible for the breach in the Data Protection Act (DPA) as it was a victim of a crime.
The breach occurred when hard drives containing patient data were handed over to a registered contractor for destruction, only to end up for sale on eBay. According to a report by the BBC, the incident, which the trust considers an act of theft, occurred in September 2010.
Duncan Selbie, chief executive of Brighton and Sussex University Hospitals NHS Trust said in a statement that as soon as the trust was alerted to the sale of the disks, the police was informed and the disks recovered. “We are confident that there is a very low risk of any of the data from them having passed into the public domain. We have subsequently received a Notice from the Information Commissioner’s Office proposing a fine of £375,000 which we are, in the circumstances, challenging,” he added.
Under current legislation, the ICO has the power issue a fine of up to £500,000 to organisations which have committed a serious breach of the Data Protection Act
The highest penalty levied to date was handed to Powys County Council in December last year, after investigations revealed that staff members had been lax in checking documents before sending them to members of the public, resulting in individuals receiving delicate information about unrelated children, along with with documents pertaining to their own.
Last week, the ICO stated in a blog post that it would not be easing up on offenders any time soon and urged companies considering cutting costs and corners in the their data protection policies to think twice, or face the consequences.