Data protection fines: enhancing patient protection or reducing treatments?
Matthew Arnold &, Baldwin LLP
Paul Gershlick of Matthew Arnold &, Baldwin LLP provides an update on data protection fines and questions whether they solely enhance patient protection or simply reduce treatment options.
At the beginning of 2012, the Information Commissioner’s Office (the “ICO”) announced that the health sector would be topping its list for enforcement activity surrounding compliance with UK data protection laws. The UK’s data protection and privacy regulator has certainly held true to that promise. There have subsequently been a series of fines, totalling several hundred thousand pounds. But the question has to be asked whether this is the right approach?
Let’s start with some legal background. Under the Data Protection Act 1998 (the “DPA”), data controllers (anyone who takes decisions about processing of people’s personal data) have to comply with various principles. Any sensitive personal data – which includes any information about someone’s health – needs particular protection. The obligations include processing the data fairly and lawfully, for no longer than necessary, keeping it accurate and up-to-date and not transferring the data outside of the European Economic Area except if there is adequate protection.
“…the purpose of a penalty is to encourage compliance and deter the data controller and others.”
A key obligation is the need for data controllers to take appropriate technical and organisational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The ICO is particularly hot on personal data being left on unencrypted memory sticks and laptops. However, as with a lot of data protection law, context is key. The ICO’s view in each case reflects the seriousness of the situation, such as the type of data, the likelihood of harm to the data subjects, the flagrancy of the breaches, and any repeated breaches.
Since 2010 (with the introduction of Sections 55A to 55E into the DPA by the Criminal Justice and Immigration Act 2008), the ICO has had the power to fine data controllers up to £500,000 if there is a serious contravention of the DPA that is likely to cause substantial damage or distress, in circumstances where the breach is deliberate or the offender knows or ought to know that there is a risk of the contravention occurring and fails to take reasonable steps to prevent it. Similar powers exist for breach of other data protection laws such as sending unsolicited communications.
In its Guidance on issuing monetary penalties, the ICO said that the purpose of a penalty is to encourage compliance and deter the data controller and others. The ICO takes into account the sector and the size, financial and other resources of the person penalised.
With that in mind, let’s consider some penalties issued by the ICO this year.
First up, the Central London Community Healthcare NHS Trust was fined £90,000, after the Trust had sent sensitive information concerning dozens of patients to the wrong person. The ICO had ruled that the mistake was a breach of the DPA and its serious consequences were foreseeable, the mistake could have been avoided if there had been better processes and training.
“…the ICO handed out its biggest ever fine for breach of data protection laws: £325,000…”
Things heated up in the summer. Belfast Health and Social Care Trust faced a £225,000 penalty after staff and patient records, which had been left at an abandoned hospital property, were photographed and posted on the Internet several times. The records included scans, X-rays, medical records and payslips, and had been left at a hospital property after it closed in 2006. The ICO said the Trust should have taken reasonable steps to prevent the breach, including conducting a full inspection of the property (which had not occurred), making an inventory of the records at the property and maintaining appropriate security to prevent access.
That same month, the ICO handed out its biggest ever fine for breach of data protection laws: £325,000. The unlucky recipient of this record was Brighton and Sussex University Hospitals NHS Foundation Trust. What was the nature of the data breach? The Trust’s use of a contractor who had been supposed to clean and destroy 1,000 computer hard drives containing highly sensitive personal data about tens of thousands of patients and staff and details of their medical conditions including HIV cases, criminal convictions and personal contact details. Some of the hard drives ended up on eBay. The cash-strapped Trust said it could not afford to pay. As this case shows, the ICO has little sympathy if the breach is caused by a data processor, who processes data on behalf of the data controller.
The following month, Torbay Care Trust was slapped with a £175,000 fine for confidential and sensitive personal data relating to 1,400 employees being published on the Trust’s website. There was a lack of process to protect the data and more data was supplied and used for wider purposes than should have been the case. The Trust had taken remedial action and co-operated, but this still did not satisfy the ICO. Other factors in favour of lenient treatment included no previous similar security breaches by the Trust, and no complaints received from data subjects. However, in citing aggravating features, the ICO said the Trust had sufficient financial resources to pay a monetary penalty.
There have been further fines.
No other sector has borne the brunt of the ICO’s ire like the health sector. Meanwhile, large private sector organisations who commit data breaches escape without fines or with chicken feed amounts.
“No other sector has borne the brunt of the ICO’s ire like the health sector.”
With the QIPP Agenda, the Department of Health has to find £20bn of efficiency savings over five years. This is not an easy task. Whilst it could be argued that these data protection fines are not on the same scale, everything helps. A lost £1m pounds means someone not getting their operation or drugs. It means someone’s health not being taken care of.
The ICO is absolutely right to try to ensure that patients’ sensitive personal data about their health are safeguarded. But I firmly believe that in taking their tactics, they are simply causing more harm to patients by reducing the care they receive. Far better would be to work with the NHS Trusts and educate them so that they improve the protection for patient data, rather than impose fines that come straight out of the budget to provide care.
I am not the only one who thinks this. The ICO’s approach has been criticised by the chairman of a leading patient data protection body. Christopher Fincken of the UK Council of Caldicott Guardians said the fines come straight out of patient care funding. Caldicott Guardians are NHS staff who are responsible for ensuring that patient data is kept secure. Fincken was concerned that patient care (such as operations) would inevitably be cut to pay for the fines and there must be a fairer way to deal with the issues such as holding the relevant officers to account.
I hope the ICO will make it a happier 2013 for the NHS and the patients they serve.
About the author:
Paul Gershlick is Partner at Matthew Arnold &, Baldwin LLP, he can be contacted using the details below:-
T: +44 (0)1923 208816
F: +44 (0)1923 215004
Do you think data protection fines are of sole benefit to the patient?