In August 2016 the Information Commissioner’s Office, (‘the ICO’) announced that it had fined Whitehead Private Nursing Home, (‘the nursing home’), £15,000 for breaking the law by not looking after the sensitive personal details in its care.
The legal background
The nursing home was a ‘data controller’ within the meaning of the Data protection act 1998 (‘the DPA’). It is the duty of data controllers to comply with the data protection principles in relation to all personal data in respect of which it is the data controller.
The relevant provision of the DPA is the seventh data protection principle which provides that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
The nursing home issued an unencrypted laptop to a member of staff. She regularly took it home to continue working. On one occasion when she did so she left it in her living room and during the night her home was burgled and the laptop was stolen. It was not recovered.
The laptop held confidential information and sensitive personal data relating to 29 residents of the nursing home, including their names, dates of birth, mental & physical health and ‘do not resuscitate’ status.
The laptop also held confidential information and sensitive personal data relating to 46 staff at the nursing home, including reasons for sickness absence, medical certificates and disciplinary matters.
The nursing home did not have any policies governing the use of encryption, homeworking and the storage of mobile devices or provide any training on data security for staff.
What the nursing home did wrong
The nursing home failed to comply with the DPA because it failed to take appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss of personal data. In particular, the nursing home:
- Issued its member of staff with an unencrypted laptop
- Did not have in place any policies governing the use of encryption, homeworking and the storage of mobile devices
- Did not or provide any training on data security for staff.
The ICO was satisfied that this was a serious breach of the DPA because of the number of people affected (29 residents and 46 members of staff) and the potential consequences to those people given the nature of the personal data held on the laptop.
As the ICO pointed out in its report, mobile devices such as laptops have a high risk of loss or theft and require adequate security measures to protect the personal data held on them. This is all the more so when confidential and sensitive information is concerned – in particular, as regards vulnerable elderly residents of a nursing home. The ICO said:
“This nursing home put its employees and residents at risk by failing to follow basic procedures to properly manage and look after the personal information in its care” and
“Our investigation revealed major flaws in the nursing home’s approach to data protection. Employees would have expected any details about disciplinary matters or their state of health to have been kept safe. Likewise, residents would not have expected their confidential information to have been stored on an unprotected laptop and taken to an employee’s home. Whitehead Nursing Home had totally inadequate provisions for IT security and procedure and poor data protection training”.
The ICO considered the following to be mitigating circumstances:
- The laptop was password protected
- The data on the laptop had not been used by any unauthorised per4son (as far as it was aware)
- Those affected, i.e. the people whose data was compromised, were notified of the security breach
- The incident was reported to the ICO
In other words, the fine would have been higher if it were not for these factors.
What the nursing home should have done
The nursing home should have issued an encrypted laptop and put in place policies governing the use of encryption, homeworking and the storage of mobile devices and provided data security training for its staff. It also said that there was “no good reason” for the failure to do these things.
The ICO’s underlying objective in imposing a fine is to promote compliance with the DPA. In view of a number of high-profile data losses the ICO issued a warning in 2010 that where it discovered such losses occurred and there was no encryption, regulatory action was likely to follow.
The fine in this case shows the ICO can and will act against any organisation (even a small one) if it feels that organisation is not taking seriously its duty to look after the personal details it has been entrusted with. This means that in a world where personal information is increasingly valuable, it is even more important for every organisation to ensure the security of data is not overlooked.
Are your staff issued with laptops? Have they been trained in data security? Do you have policies governing the use of encryption, homeworking and the storage of mobile devices? We can put in place policies, procedures and systems and train staff to prevent something similar happening at your organisation.
This article is intended for informational purposes only, so please don’t rely on it as legal advice!
We believe that data protection is about protecting people and that the four elements of data protection are trust, transparency, privacy and security. If you agree and like this page please feel free to share it.
TO CONTACT US CALL 07902 395989 OR USE OUR CONTACT FORM