I read that the Information Commissioner has proposed to fine Brighton and Sussex University Hospitals NHS Trust £375,000 for a breach of patient confidentiality whereby hard drives containing patient data were sold on eBay. Digging a little further into the story, it seems that the NHS Trust hired a contractor to remove the drives, delete their contents and then dispose of them. The contractor sold the drives on, but didn’t do the deletion.
This is actually quite normal. Asset disposal companies take care of the owner’s legal obligations in disposing of kit, and they then offset the management charges by selling the kit on for whatever they can get. Obviously, the disposal company must correctly discharge its data cleansing duty, but the practice of an external contractor removing the kit and then selling it is completely standard, and returns the asset’s value to the owner.
The problem is that the patient data was not erased. And that’s why the Information Commissioner’s Office (ICO) has got involved.
But the ICO’s response, of fining the NHS Trust, is completely wrong.
Firstly, any government organisation fining any other government organisation is like me moving a £10 note from the front to the back of my wallet. It’s still money in the system. Except that it doesn’t cost me anything to move notes around in my wallet. There are loads and loads of people in the NHS and ICO who will be involved in the levying, paying and processing of the fine. These people will contribute nothing at all to the country by carrying out this transaction.
Secondly, NHS Trusts need all the money they can get. Reducing the money supply to an organisation that is already hard-up will only have the effect of increasing the pressure on staff, and therefore the likelihood of similar mistakes being made again.
Thirdly, this data breach is a human error. Somebody didn’t do their job properly. Was it negligence? It certainly appears that way. I’m not really a witch-hunt kind of guy, but why is the employing organisation being fined? It does not create a link between the punishment and the perpetrator of the crime/error. What should be done in this case is a period of non-criminal community service. The error affects the general public, so the perpetrator of that error should make reparations to the general public.
Fourthly, it doesn’t even appear as if this error was made by an employee of the Brighton and Sussex University Hospitals NHS Trust, so why are they being fined? Surely the error was made by the disposals company that tried to sell the unwiped hard drives. They are the ones who should be being fined. (Although, B&SUH should really have had a flow-down clause in its contract with the disposals company so that they could pass the liability on)
These points expose my real feeling of disgruntlement. Certainly, a privacy breach occurred, and a lesson needs to be learned. But that lesson has to be targeted and appropriate. The people involved need to be aware of the implications of their failure to correctly discharge their duty, and – where appropriate – must carry out some form of penitent action to make up for that mistake.
One government department stealing money from another teaches nobody anything, except for teaching the public at large that the whole system is FUBAR.