ICO fines Nursing and Midwifery Council

February 22, 2013 |

On 12 February the ICO  issued the Nursery and Midwifery Council a £150,000 fine for breaching the data Protection Act.

The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. The  ICO  found the information was not encrypted.

According to the ICO press release David Smith, Deputy Commissioner and Director of Data Protection, said:

“It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again.
While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.

“I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case?

“If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.”

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered.

David Smith continued:

“The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.”

The decision is found here.

It provides:

Statutory Framework

 The Nursing and Midwifery Council is the data controller, as defined in section 1(1) of the Data Protection Act 1998 (the “Act”), in respect of the processing of personal data carried out by the Nursing and Midwifery Council and is referred to in this notice as the “data controller”.  Section 4(4) of the Act provides that, subject to section 27( 1) of the Act, it is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which it is the data controller.
 The Act came into force on 1March 2000 and repealed the Data Protection Act 1984 (the “1984 Act”). By virtue of section 6( 1) of the Act, the office of the Data Protection Registrar originally established by section 3(1)(a) of the 1984 Act became known as the Data Protection Commissioner. From 30 January 2001, by virtue of section 18(1) of the Freedom of Information Act 2000 the Data Protection Commissioner became known instead as the Information Commissioner (the “Commissioner”).
 Under sections SSA and SSB of the Act (introduced by the Criminal Justice and Immigration Act 2008 which came into force on 6 April 2010) the Commissioner  may, in certain circumstances,  where there has there been a serious contravention of section 4(4) of the Act, serve a monetary penalty notice on a data controller requiring the data controller to pay a monetary penalty of an amount determined by the Commissioner and specified in the notice but not exceeding f5OO,OOO.The Commissioner has issued Statutory Guidance under section sse (1) of the Act about the issuing of monetary penalties which is published on the Commissioner’s website.  It should be read in conjunction with the Data Protection (Monetary Penalties)(Maximum Penalty and Notices) Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010 .

Power of Commissioner to impose a monetary penalty

 (1)        Under section SSA of the Act the Commissioner may serve a data controller with a  monetary penalty notice if the Commissioner  is satisfied that  –

 (a)    there has been a serious contravention of section 4(4) of the Act bythe data controller,

 (b)    the contravent ion was of a kind likely to cause substantial damageor substantial distress, and

 (c)    subsection (2) or (3) applies .

(2)        This subsection applies if the contravention was deliberate.

(3)        This subsection applies if the data controller-

(a)knew or ought to have known –

(i)                   that there was a risk that the contravention would occur, and

(ii)                  that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b)failed to take reasonable steps to prevent the contravention.

Background

 The data controller is the UK’s regulator of nurses and midwives and part of its role is to carry out fitness to practise (“FrP”) investigations when allegations of misconduct are made against these professionals. On 7 October 2011, in preparation for a FrP hearing, administrative workers employed by the data controller were instructed to package three DVDs with other evidence and to send these by courier to the hearing venue which was a hotel in Cardiff .

 The DVDs contained confidential and highly sensitive information relating to alleged offences by a nurse and information about children who were identifiable from that information.

The courier collected the packages from the data controller’s offices on 7 October 2011 and delivered them to the hotel on 10 October .2011 as requested.   However, when the packages were opened at the hearing venue the DVDs were not inside.  The Commissioner understands that the DVDs were not protected by any form of technical security such as encryption of the video files , although the packages showed no signs of tampering.

 The data controller was aware that DVDs were used to store witness interviews used at FTP hearings from time to time and that these would often contain sensitive personal data, yet it had no policy in place requiring the encryption of this data either while held at its offices or during transit to the hearing venue.

 Following the security breach the data controller carried out extensive searches to find the DVDs but they are still missing. The data controller has now taken remedial action which included a review of its methods of exchanging sensitive information with the police. This review recommended that the data controller should put in place more formal policies and procedures regarding the security of such data , including the encryption of any data stored on removable media.

 

Grounds on which the Commissioner  proposes to serve a monetary penalty notice

 The relevant provision of the Act is the Seventh Data Protection Principle which provides, at Part Iof Schedule 1to the Act, that:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction o0 or damage to, personal data “.

 Paragraph 9 at Part IIof Schedule 1to the Act further provides that:

 “Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to

 (a)   the harm that might result from such unauthorised or unlawful processing or accidental/ass, destruction or damage as are mentioned in the seventh principle, and

 (b) the nature of the data to be protected”.

  • The Commissioner is satisfied that there has been a serious contravention of section 4(4) of the Act.

In particular, the data controller had failed to take appropriate technical and organisational measures against accidental loss of personal data such as ensuring that any removable media containing sensitive information was encrypted prior to sending it to the hearing venue.

 The Commissioner considers that the contravention is serious because the measures did not ensure a level of security appropriate to the harm that might result from such loss and the nature of the data to be protected .

  • The Commissioner is satisfied that the contravention is of a kind likely to cause substantial distress.  Confidential and highly sensitive personal data relating to vulnerable individuals was lost due to the inappropriate technical and organ isational measures taken by the data controller.

The failure to take appropriate technical and organisational measures has the potential to cause substantial distress to individuals who may know or suspect that their confidential and highly sensitive personal data has been disclosed to a recipient who has no right to see that information .

Furthermore they would be j ustifiably concerned that their data maybe further disseminated and possibly misused even if those concerns do not actually materialise.

In this context it is important to bear in mind that two of the affected individuals are vulnerable children.

  • The Commissioner is satisfied that section 55A(3) of the Act applies in that the data controller knew or ought to have known that there was a  risk that the contravention would occur, and that such a contravention  would be of a kind likely to cause substantial distress, but failed to take  reasonable steps to prevent the contravention.

The Commissioner has taken this view because employees working in the data controller’s FTP directorate were used to handling sensitive personal data and the data controller was aware that sensitive information such as that on these DVDs was sent to FTP hearing panels from time to time  in an  unencrypted format.

In the circumstances, the data controller should have realised that tlhis practice of sending removable media containing sensitive personal data in an unencrypted format constituted a serious risk which could easily be avoided.

In the circumstances, the data controller knew or ought to have known that there was a risk that the contravention would occur unless reasonable steps were taken to prevent the contravention, such as ensuring that any removable media containing sensitive information was encrypted prior to sending it to the hearing venue.

The Commissioner  published guidance on his website in November 2007 about the risks associated with the use of unencrypted portable devices and removable media used to store or process personal data, the loss of which would be likely to cause distress to individuals. This guidance states the Commissioner’s  view that such devices or media should be encrypted  to protect the data, and that failure to do so may lead to enforcement action where these equipment and data are subsequently  lost or misused.

 Further, it should have been obvious to the data controller whose employees were used to handling sensitive personal data that such a contravention would be of a kind likely to cause substantial distress to the data subjects due to the nature of the data involved.

Aggravating features the Commissioner has taken into account in determin ing the amount of a monetary penalty

Nature of the contravention

  • Contravention was particularly serious because of the confidential and highly sensitive nature of the personal data
  • Two of the data subjects were vulnerable children

Effect of the contravention

  • Three DVDs containing confident ial and highly sensitive information about alleged offences and misconduct were lost and have not been found

Impact on the data controller

  • Sufficient financial resources to pay a monetary penalty up to the maximum without causing undue financial hardship

Mitigating features the Comm issioner has taken into account in determining the amount of the monetary penalty

Effect of the contravention

  • To the Commissioner’s  knowledge the personal data involved has not been accessed or further disseminated

Behavioural issues

  • Voluntarily reported to Commissioner’s office
    • Data controller carried out a full investigation
    • Remedial action has now been taken
    • Extensive searches were made to locate the missing DVDs
    • Co-operative with the Commissioner’s office

Impact on the data controller

  • Monetary penalty will be paid out of registrant fees although the penalty will be paid into the Consolidated Fund
  • Significant impact on reputation of data controller as a result of this security breach

Other considerations

  • The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Act . This is an opportunity to reinforce the need for data controllers to review the sending of confidential and sensitive personal data by unencrypted  means and to ensure that appropriate and effective security  measures are applied to the use of removable media or portable electronic devices holding such data

Notice of Intent

A notice of intent was served on the data controller dated 9 October 2012 . The Commissioner received written representations from the Solicitor acting for the data controller dated 16 November 2012 . The Commissioner has considered the written representat ions made in relation to the notice of intent when deciding whether to serve a monetary penalty notice.  In particular, the Commissioner has taken the following steps :

  • reconsidered the amount of the monetary penalty generally, and whether it is a reasonable and proportionate means of achieving the objective which the Commissioner seeks to achieve by this imposition;
  • ensured that the monetary penalty is within the prescribed limit of

£500,000; and

  • ensured that the Commissioner is not, by imposing a monetary penalty, acting inconsistently with any of his statutory or public law duties and that a monetary penalty  notice will not impose undue financial  hardship on an otherwise responsible data controller.

Amount of the monetary pena lty

The Commissioner considers that the contravention of section 4(4) of the Act is very serious and that the imposition of a monetary penalty is appropriate.  Further that a monetary penalty in the sum of £150,000 (One hundred and fifty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty .

Payment

The monetary penalty must be paid to the Commissioner’s office by BACS transfer or cheque by 15 March 2013 at the latest.  The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government’s general bank account at the Bank of England.

Early payment discount

If the Commissioner receives full payment of the monetary penalty by 14 March 2013 the Commissioner will reduce the monetary penalty by 20°/o to £120,000 (One hundred and twenty thousand pounds).

Right of Appeal

There is a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against:

the imposition of the monetary penalty and/or

the amount of the penalty specified in the monetary penalty notice.

Any Notice of Appeal should be served on the Tribunal by Spm on 14 March 2013 at the latest.  If the notice of appeal is served late the Tribunal will not accept it unless the Tribunal has extended the time for complying with this rule.

Information about appeals is set out in the attached Annex 1.

Enforcement

The Commissioner will not take act ion to enforce a monetary penalty unless:

  • the period specified in the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid;
  • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdrawn; and
  • the period for the data controller to appeal against the monetary penalty and any variation of it has expired.

In England, Wales and NorthernIreland, the monetary penalty is recoverable by Order of the County Court or the High Court.  In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitra l bearing a warrant for execution issued by the sheriff court or any sheriffdom in Scotland.

Dated the 12th day of February 2013

 

 

Leave a Reply