£90,000 fine for data blunders

Posted: 28th January 2013

The first-tier tribunal has dismissed an NHS trust’s appeal against a £90,000 monetary penalty imposed in respect of data transfer blunders that resulted in extremely sensitive patient information being faxed to a member of the public. The case was the first in which the tribunal was asked to review a decision of the information commissioner to impose a monetary penalty on a data controller pursuant to powers conferred by the Data Protection Act.NHS

The Central London Community Healthcare NHS Trust had in place a system whereby it sent daily faxes to a hospice providing highly sensitive information in respect of vulnerable patients being treated in its palliative care unit. Due to a flawed protocol and a lack of adequate training on the part of the member of staff who sent the faxes, 45 of them were misdirected to the wrong fax number.

‘Acutely private information’, including patients’ names, details of their treatment and domestic situations, as well as resuscitation instructions, was faxed in error to a member of the public who eventually notified the trust that he had received them before shredding them. The information commissioner imposed the monetary penalty after finding that the trust had breached data protection principles.

In dismissing the trust’s appeal, the tribunal rejected its plea that, because it had voluntary notified the commissioner of the serious breaches, he was precluded from investigating the matter with a view to issuing a monetary penalty. The commissioner had correctly exercised his discretion according to law and the £90,000 penalty imposed was justified, the tribunal concluded.