ICO urges more care with personal data as Nursing and Midwifery Council receives £150,000 penalty

London, UK, Feb. 15, 2013 — / — The Information Commissioner’s Office has urged organisations to review their policies on how personal data is handled, after the Nursing and Midwifery Council was issued a £150,000 civil monetary penalty for breaching the Data Protection Act.

The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again.

While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.

“I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case?

“If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.”

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered.

David Smith continued:

“The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.”

Further details about today’s case can be found on the ICO’s civil monetary penalty notice page.

The ICO has published guidance for organisations on the use of encryption.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

6. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).

Press Office
Tel. 0303 123 9070 (media only)


General Tags: software as a service, online file backup, online backup services, SaaS, data security, online backup news, online backup, top rated online backups, cloud computing, compare online backups, online backup reviews, online data backup, backing up online, online file storage, CEO interviews, data storage, online backup providers directory, online backup companies

Like us on Facebook

Do you like this post? Subscribe to our RSS feed ===========================


Related posts:

  1. ICO Fines Glasgow City Council £150,000 ($233,000 USD) for the Loss of Two Unencrypted Laptops
  2. ICO Fines Two Councils £180,000 for Serious Data Breaches
  3. Ealing and Hounslow Councils Fined £150,000 by UK’s ICO for Serious Breaches Under the Data Protection Act
  4. UK’s ICO: Cambridgeshire County Council Breaches Data Protection Act
  5. Manchester Police Force Pays £120,000 ($193,000 USD) Penalty for Data Breach
  6. Small Businesses Warned about the Importance of Encryption, after London Sole Trader Fined £5,000
  7. Sony Fined £250,000 ($395,000 USD) After Millions of UK Gamers’ Details Compromised
  8. Backup-Technology Online Data Backup Expert Tips: Scottish Council Ahead of Schedule with New Data Protection Policy
  9. Veeam Provides Hastings District Council with Always-On Availablity that Scales to Meet the Council’s High-Growth Capacity of Nearly 75,000 Citizens
  10. ICO: Businesses Waking up to Data Protection Responsibilities

Tags: ,