Careless NHS trust fined £90,000

Posted: 26th November 2013

FaxThe Upper Tribunal (UT) has upheld a £90,000 fine imposed on an NHS Trust which mistakenly faxed personal details of highly vulnerable patients to a surprised member of the public.

Because of an oversight rooted in a lack of training, a member of the Trust’s staff had, on some 45 occasions, faxed daily inpatient lists to the wrong number. The lists, which related to extremely ill patients in a palliative care unit, should have been sent to a hospice. The blunder was revealed when a member of the public phoned the Trust to reveal that he had been receiving the faxes and had shredded them.

It was common ground that the faxes had contained ‘acutely private information and sensitive personal data’. On discovering the error, the Trust had reported itself to the Information Commissioner, who imposed a £90,000 financial penalty in the exercise of rarely used powers under the Data Protection Act 1998. The penalty was subsequently upheld by the First-tier Tribunal.

In dismissing the Trust’s appeal, the UT rejected arguments that it could claim ‘some sort of statutory immunity’ on the basis that it had itself reported the matter to the Commissioner and had co-operated fully with his investigation. The Trust had made an ‘unqualified confession’ on realising that it had been caught ‘bang to rights’, but the UT described the whole episode as ‘a sorry tale’.

The Commissioner’s exercise of his discretion could not be faulted and, measured against the maximum penalty of £500,000 that can be imposed in such cases, the £90,000 fine for such a serious breach represented a proper balance between aggravating and mitigating features and could not be viewed as excessive.