First NHS fine issued by ICO

  • 30 April 2012
First NHS fine issued by ICO
The Information Commissioner’s Office will not take regulatory action over NHS Digital/

Aneurin Bevan Health Board has become the first NHS organisation to be fined by the Information Commissioner’s Office following a serious breach of the Data Protection Act.

The board has been fined £70,000 for emailing a report about the treatment of a mental health patient to the wrong person.

The error occurred following a series of errors by members of staff at the trust. First, an un-named consultant emailed a letter to a secretary for formatting.

This included two different spellings of the patient’s name, but failed to include any other unique identifier, such as their hospital number or NHS Number.

Then, the secretary chose the wrong patient from the board’s electronic patient record system to send the report to.

As a result, a letter containing “confidential and highly sensitive personal data, including a report from the consultant detailing contacts with the patient over a period of five to six months” was sent to the wrong person.

A monetary penalty notice issued by the ICO says the secretary was used to letters arriving in this state, and their line manager had “permitted this method of work so that an effective service could be provided across multiple sites.”

The ICO found that the Aneurin Bevan had failed to take “measures against unauthorised processing of personal data” and that the error was likely to cause “substantial distress.”

In addition to the penalty, Aneurin Bevan has signed an undertaking to address the concerns expressed by the ICO during its investigation.

This includes ensuring that all staff are made aware of and trained on the organisation’s policies on the use of personal data and that there is regular monitoring of compliance with policies on data protection and IT security.

New checking procedures will also be implemented across all sites to confirm a patient’s identity before personal information is sent out.

Stephen Eckersley, the ICO’s head of enforcement said: “The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious.

“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure.

“This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent.

“We are pleased that the health board has now committed to taking action to address the problems highlighted by our investigation.

"However, organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO.”

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.
ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp

ICO reprimands NHS Lanarkshire for sharing patient data via WhatsApp

The Information Commissioner’s Office (ICO) has issued a reprimand to NHS Lanarkshire following the use of WhatsApp by staff to share patient data.
Transgender charity Mermaids fined £25k for data protection breach

Transgender charity Mermaids fined £25k for data protection breach

The transgender charity has been fined £25,000 by the Information Commissioner’s Office (ICO) for failing to keep the personal data of its users secure.