Information Commissioner's Office
Printable version E-mail this to a friend

London NHS Trust fined £90,000 for serious data breach

Central London Community Healthcare (CLCH) NHS Trust has been fined £90,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) announced yesterday.

The breach first occurred in March last year, after patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions.

The ICO’s investigation found that the Trust failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient. The trust also failed to provide sufficient data protection guidance and training to the member of staff concerned.

Stephen Eckersley, the ICO’s Head of Enforcement said:

“Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying.”

 

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. Our press office page provides more information for journalists.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. Monetary penalties are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice. Any Notice of Appeal in response to today’s monetary penalty would need to be served on the Tribunal by 5pm on Monday 28 May 2012 at the latest.

6. If you need more information, please contact the ICO press office on 0303 123 9070.
 

Latest Guide: Key Insights for Creating a Robust Public Sector Workforce