Nursing and Midwifery Council hit with £150k data breach fine
18 February 2013
The loss of three DVDs containing evidence from vulnerable children has led to a serious breach of the Data Protection Act and a £150,000 fine being imposed on the Nursing and Midwifery Council, the Information Commissioner's Office (ICO) has confirmed.
The council, which said it was "disappointed" with the ICO's decision, lost three DVDs which related to a nurse's misconduct hearing. An investigation found that the DVDs, which contained confidential personal information and evidence from two vulnerable children, had not been encrypted.
According to the information regulator, the council had been couriering evidence relating to a 'fitness to practise' case to the hearing venue. The discs were however not present when the packages were received, even though there were no signs of tampering. Extensive searches were said to have been made by the council to find the DVDs, but they were never recovered.
"The Nursing and Midwifery Council's underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk," said deputy commissioner David Smith.
He added that "no policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered".
"Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty."
But the Nursing and Midwifery Council said in a statement that the cause of the incident was "understood to have been an isolated human error". "Our policy, in place at the time, required encryption," the statement read.
A spokesman for the council did however tell Publicservice.co.uk that this policy "was not explicit as to how we handled portable media received from other organisations" and that their policy had "since been updated to rectify this".
"The NMC is disappointed with the Information Commissioner's Office's recent decision to impose a fine," the council's statement said.
"We regret the incident, but want to reassure the public and all our stakeholders that we recognise the importance of data protection and the need for data security. The cause of the incident is understood to have been an isolated human error.
"Our policy, in place at the time, required encryption. We received the DVDs from the police unencrypted but we failed to encrypt them before we sent them on. We very much regret this and have now corrected our practice.
"We have many other security measures in place, including a data protection policy, data security guidelines and information security training for employees. All our employees are required to sign up to our information security policies at the start of their employment with the NMC.
"Since the incident we have further strengthened our policies and procedures for the secure handling of witness evidence."