ICO £325k fine highlights importance of proper destruction of data
11 June 2012
Posted by Samuel Couratin
It is vital that organizations ensure data is properly destroyed when it has ceased to be of use after the UK's watchdog issued a fine of £325,000 to a health body.
Thousands of patients and staff were affected in an incident at Brighton and Sussex University Hospitals NHS Trust in which highly-sensitive personal information was left on hard drives that were sold online.
The breach in October and November 2010 involved data relating to HIV and genito urinary medicine patients, as well as children's reports and disability living allowance forms, and has resulted in a heavy Civil Monetary Penalty for the trust being issued by the Information Commissioner's Office (ICO).
Commenting on the ICO fine, Richard Costin, Managing Director of Banner Business Services, stressed the importance of adhering to data protection standards in this area, stating: "The impact [of not removing data properly] is massive, so it is really important you make sure you securely remove data - whether that is on paper or on computers."
He added all possible steps should be taken to make sure it "doesn't get into the wrong hands" and confidential details are kept private, as they can be treated as a commodity and sold on by criminals.
Mr Costin explained that it is the responsibility of an organization to understand the "requirements of document destruction, data integrity and the importance of data", rather than relying on outside contractors.
The £325,000 ICO fine is the highest to be imposed by the body, which has had the power to issue penalties of up to £500,000 for the worst breaches of the Data Protection Act since April 2010.
An individual charged with the destruction of 1,000 hard drives stored in a secure room was found to have sold them on, with four devices purchased on an internet auction site by a data recovery business in December 2010.
David Smith, ICO Deputy Commissioner and Director of Data Protection, explained the penalty imposed "reflects the gravity and scale of the data breach" and is intended to set an example to other agencies.