ICO fines Nursing and Midwifery Council over data breach
£150,000 penalty issues after the loss of three DVDs related to a nurse's misconduct hearing
The Information Commissioner's Office (ICO) has fined the Nursing and Midwifery Council (NMC) £150,000 after the loss of three unencrypted DVDs which contained confidential personal data and evidence from two vulnerable children.
The loss of the DVDs occurred during a nurse's 'fitness to practise' hearing. Evidence for the case was being couriered to the hearing venue but when the packages arrived the discs were not present, although the packages did not show signs of tampering. After the breach the NMC carried out extensive searches to locate the DVDs, but they are yet to be recovered.
David Smith, Deputy Commissioner and Director of Data Protection, said, "The Nursing and Midwifery Council's underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk.
"No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty."
Responding to the ICO's decision, the NMC said they were "disappointed with the Information Commissioner's Office's (ICO) recent decision."
The NMC continued, "We regret the incident, but want to reassure the public and all our stakeholders that we recognise the importance of data protection and the need for data security. The cause of the incident is understood to have been an isolated human error.
"Our policy, in place at the time, required encryption. We received the DVDs from the police unencrypted but we failed to encrypt them before we sent them on. We very much regret this and have now corrected our practice."
"Since the incident we have further strengthened our policies and procedures for the secure handling of witness evidence", the NMC added.
In the light of this recent case, the ICO has urged other organisations to think more carefully about how they handle personal data.
David Smith said, "It would be nice to think that data breaches of this type are rare, but we're seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.
"I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case?
"If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty."