- Mobile
iOS App- Newsletters
- Subscribe
- Stakeholders
- Follow:
GOVERNMENT ZONE
- Central government
- Devolved government
- Education
- Health and social care
- Home affairs
- Local government
- Transport
AREA OF INTEREST
- Built environment
- Culture, heritage and museums
- e-government
- Energy
- Finance and pensions
- Innovation, science and technology
- International
- Management and HR
- PFI and partnerships
- Procurement
- Property
- Scotland
- Sustainable futures
- Waste
SISTER SITES
Email
Print
Nursing and Midwifery Council hit with £150k data breach fine
18 February 2013
The council, which said it was "disappointed" with the ICO's decision, lost three DVDs which related to a nurse's misconduct hearing. An investigation found that the DVDs, which contained confidential personal information and evidence from two vulnerable children, had not been encrypted.
According to the information regulator, the council had been couriering evidence relating to a 'fitness to practise' case to the hearing venue. The discs were however not present when the packages were received, even though there were no signs of tampering. Extensive searches were said to have been made by the council to find the DVDs, but they were never recovered.
"The Nursing and Midwifery Council's underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk," said deputy commissioner David Smith.
He added that "no policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered".
"Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty."
But the Nursing and Midwifery Council said in a statement that the cause of the incident was "understood to have been an isolated human error". "Our policy, in place at the time, required encryption," the statement read.
A spokesman for the council did however tell Publicservice.co.uk that this policy "was not explicit as to how we handled portable media received from other organisations" and that their policy had "since been updated to rectify this".
"The NMC is disappointed with the Information Commissioner's Office's recent decision to impose a fine," the council's statement said.
"We regret the incident, but want to reassure the public and all our stakeholders that we recognise the importance of data protection and the need for data security. The cause of the incident is understood to have been an isolated human error.
"Our policy, in place at the time, required encryption. We received the DVDs from the police unencrypted but we failed to encrypt them before we sent them on. We very much regret this and have now corrected our practice.
"We have many other security measures in place, including a data protection policy, data security guidelines and information security training for employees. All our employees are required to sign up to our information security policies at the start of their employment with the NMC.
"Since the incident we have further strengthened our policies and procedures for the secure handling of witness evidence."
COMMENTS
RELATED NEWS »
- Prison needed for serious data offences, says Information Commissioner
- New NHS won't escape fines for old data breaches
- Private investigators could face £500,000 fines for accessing data illegally
- Patients can stop their data being shared, says Jeremy Hunt
- Patients targeted after GP email account was hacked
- Caldicott 2 – NHS reported 186 serious data breaches in a year
- Police forces face investigation after sending personal data to G4S
SUGGESTED FEATURES »
- The new NHS: Only the fittest will survive and flourish
- Another day, another data breach: how to make sure you aren't next
- On Her Majesty's not-so-secret service: The 'plausible' plot of Skyfall
- Government faces growing data storage demands
- 'NHS must tell patients about data and privacy breaches'
- 'NHS and councils need help as they fall behind on data protection'