Home » Topics » Governance, Risk and Compliance » ICO fines nursing regulator £150k after data lost in transit

ICO fines nursing regulator £150k after data lost in transit

Pete Swabeyby Pete Swabey

The Information Commissioner's Office has issued the Nursing and Midwifery Council a £150,000 fine after three DVDs containing "highly sensitive" data were lost in transit.

The DVDs contained video files relating to alleged offenses by a nurse and identifiable details of two children. In October 2011, they were sent by courier to the venue of a disciplinary hearing but when the package arrived the DVDs were not inside.

The data on the DVDs, which included witness interviews relating to the hearing, was not encrypted.

The ICO says that the council "had no policy in place requiring the encryption of this data either while held at its offices or during transit to the hearing venue".

The council itself says "our policy, in place at the time, required encryption. We received the DVDs from the police unencrypted but we failed to encrypt them before we sent them on. We very much regret this and have now corrected our practice".

The DVDs have still yet to be found.

The ICO levied the fine because the council had failed to take appropriate precautions to prevent such a data breach, it said, and because the nature of the data meant the breach was "likely to cause substantial distress".

The council said it was "disappointed" with the ICO's decision to levy a fine. "We regret the incident, but want to reassure the public and all our stakeholders that we recognise the importance of data protection and the need for data security," it said in a statement. "The cause of the incident is understood to have been an isolated human error."

"Since the incident we have further strengthened our policies and procedures for the secure handling of witness evidence."

"It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again," said deputy information commissioner David Smith. "I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case?"

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics

Related Stories

Governance, Risk and Compliance

Two ways to improve GDPR enforcement

Martin Davies of Drata explains how GDPR is currently enforced and how enforcement could be improved across the European Union

Governance, Risk and Compliance

Four in five IT leaders concerned about data compliance

Cloudera research reveals that 79 per cent of IT leaders see compliance as the main data management concern, despite widespread investment

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Governance, Risk and Compliance

What unbundling Microsoft Teams will mean for EU customers

In the midst of an EU antitrust investigation, Microsoft Teams is now set to be offered to businesses separately from its Office suite