The Information Commissioner is proposing to issue its heaviest ever fine for a breach of UK data protection laws. It proposes fining a health body after patient records were stolen from a hospital and sold on eBay. Brighton and Sussex University Hospitals NHS Trust told Out-Law.com that hard drives containing patient data had …
For taking all that money out of the health service, for the benefit of the people.
Instead, how about locking up and fining the shitbag who decided that it would be a good idea to flog off the drives he had been contracted to destroy.
I agree with the sentiment.
The problem with this is that the shitbag will have done this a) in name of the NHS (as in will have been working for them at the time, probably still) and b) in good faith, believing the salespitch of fully privacy-ensured data deletion and buzzword buzzword buzzword buzzword, guaranteed! Think middle manager and how such positions attract pointy hair something fierce.
In the end, the NHS will, as it logically must, still end up with the buck for this. It would be nice to be able to pass fines like that on, but I doubt they made sure they could when they signed the contract, so probably not.
As such, the ICO really should not be listening to "but it wasn't me, guv!" arguments. Think about it. What would happen if they did? Then it'll always be someone else that "did it", and stupidity like this will remain unpunished as long as everyone in the chain can find someone else to point to. It's the NHS's ultimate responsibility to care for the data. So it's them that get fined.
An end to the culture of sub-contracting
all the public service functions, would make it a lot easier to hold people to account when things go wrong.
Flog your services off to the lowest bidder, and they'll do a shit job, but you won't be to blame and the NHS can pick up the fine - yeah, I can see why this is so popular.
Whilst I agree with the principal of the original point, I feel that the proper process here should be that the Trust takes the fine, and subsequently sues the subcontractor for breach of contract, plus whatever else is applicable and recover the cost of the fine.
As I see it, the trust is responsible for the data, as it was the organisation the data was given to, and the subcontractor is responsible for keeping to their agreed contract. Therefore the Trust has to take the hit for the data breach and should recover losses from the subcontractor for the contract breach.
In the end, though
Surely it is the responsibility of whoever subcontracted the work to ensure that there was a proper audit trail of what happened to the disks after they left NHS premises, and adequate proof that they were being destroyed.
If they failed to do this, and the drives we put up for sale then it is entirely their fault.
If, however, the discovery that the drives were being put up for sale was a result of proper audit procedures, then they should be entirely in the clear.
If you have sensitive information that is covered under the DPA, you can't just hand it onto someone else with the promise that they will destroy it for you - you must have proof that this is happening.
In the end the NHS is still responsible.
The NHS cannot simply say "lookit, 'twasn't us, 'twas dem that we gave the problem to." The NHS still has to answer to the ICO. They must then go to the subcontractor and sue them for breach of contract (to the tune of that fine and a wee bit more, say).
Of course it is skewed that had nobody noticed, no fines would've been handed out, and moreover that now that they've been right quick preventing the data from actually getting flogged off, they face a fat fine. It's too easy to see that as a fine for doing your job, though apparently a few downvoters do.
So I agree some leniency for quick action is warranted. But that's not the same as "entirely in the clear"; they're still responsible for what happened to the data. There really is no way around that without the ICO risking letting itself be led down the garden path. (Disagree? Show how.) Quite possibly the ICO cannot even fine the subcontractor --really, whatever for?--, so they have no choice but to fine the NHS.
So the NHS, and for that matter anyone dealing with sensitive data, better learn to make sure they can indeed pass on that fine to the subcontractor, by including "you pay our ICO fines should anything go amiss" in the contract.
In fact, were I the NHS I'd put that and more in, then beg the ICO to double the fine so as to smash crooked contractors into oblivion. Do you see another way to do it?
Any decent lawyer ...
... would have had a clause in the contract saying "if you, by action or inaction, make us liable for fines under the DPA or other legislation, you will be paying the fine and all our costs". That this wasn't done suggests that the idiots at the health authority/trust accepted a standard form contract stuck under their noses by the company. Now they need to spend more time and money on suing the firm. Sad for the provision of healthcare in the affected area, but people only learn from mistakes.
Until the doofus managers who oversee such fiascoes feel some serious hurt — by preference in their pocketbooks — no tightening up will take place. Indeed, I'd name and shame them, and then put their names on a blacklist "do not employ this person in IT management".
The crazy system of one arm of the Crown fining another is...well...crazy. Which party originally inflicted this insanity on the suffering British people, pray tell?
At some point I'm sure these organisations will just work out that it is cheaper to run whole disk encryption.
If the 3rd Party was contracted to securely destroy the data, then surely *he* should be in the frame for any penalties under the DPA...shouldn't he? Wouldn't that be part of any contract between the NHS and their contractors?
But even if my assumption above is wrong and the NHS *does* have ultimate responsibility, the only people punished by this fine would be the patients whose care would suffer for want of those funds. No one learns anything, the cash re-enters the governmental money-go-round and some treatments are cancelled. Where's the point?
The NHS *always* has ultimate responsibility.
That's just how delegating a task works: You tell someone else to do it, and they answer to you for how they'd done it. You don't lose responsibility for how the task is done. So even if there are effective pass-the-buck clauses in the paperwork, the news would still be "NHS gets fined".
And yes, ultimately it's the patients that suffer. That, too, is the responsibility of the NHS.
The point? The point is that the ICO says "don't do that!" out loud enough for people to take notice. Whether that ultimately works is another matter, but not for the ICO to sort. They have their hands full with people in government and elsewhere doing boneheaded things with data enough as it is already. Still, it is a good question, and one that does need sorting. Write your MP today about it.
"The NHS *always* has ultimate responsibility."
"That's just how delegating a task works: You tell someone else to do it, and they answer to you for how they'd done it "
I beg to differ , think of the cowboy builders programs on TV - is it the poor old dear who's been ripped of 5K over a couple of roofing tiles' fault?
The NHS is , on the face of it , innocent here.
It doesent state whether it was a specific contractor who specialises in destroying data - which would make it al lot more farcical , or an intermediate I.T contractor whos would be tasked with finding the above mentioned Data specialist, but at the end of the day its the contracotrs fault.
Thats assuming , and for the love of god i hope i'm right in this assumption , the NHS manager in question did say , preferably in writing, " I want the data on these drives destroyed"
rather than "sure mate - if you can get a few quid for these PC's take em home and bung em on ebay!"
I actually work for the NHS , clearly a different department because the amount of money we're spending making sure data (and the hardware its on) is destroyed is horrific, not to mention the money having the rest of the hardware "recycled".
For pcs and monitors without drives ebay would in fact be a far more green / ecologicly sound AND financially better solution
I have no telly so I have no idea what your example is on about. If you order someone to roof your house, they answer to you how they do that, and you bind them to that through a contract to build. If you don't have that you fall back on existing law, which may or may not protect you. Getting ripped off usually means someone having found loopholes in law and/or contracts (or written them in themselves) and abusing them, sticking you with the bill.
The NHS is entrusted with data, they put it on hard drives, so it's their responsibility to ensure it doesn't go walkies when they'd like to dispose of the hard drives. They don't lose that responsibility (that the ICO can rap them for) even if they contract out the wiping. So in that respect they are not, cannot be, innocent. Protecting that data is their job, pure and simple.
And yes, the NHS really should have, in writing, not merely "I want this data destroyed" but also "and YOU get our ICO fines if you fail us". If not, they get fined for failing to care for the data --they gave it away and the contractor turned out crooked-- and get stuck with it for failing to put into the contract the right to pass on the fine to the contractor.
As responsibilities go, this is how it works. Having tried and apparently succeeded to get the drives with the data back in time should get you some leniency, so the height of the fine is probably more than a bit frustrating for the NHS. Unless they can pass it on, of course.
why the NHS?
The NHS trust is as much a victim as the patients whose confidentiality was breached.
The contractor is the perp & should be punished, not the NHS trust.
The big problem with this fine is it's going to mean a return to the IBM / CapGemini / WAACTW getting all the contracts just so managers have their arse covered.
The contractor was not the Data Controller ...
... and so, for the purposes of the Act, isn't responsible. They could (and should) be made liable through private law routes, though.
Better drafting of the contract would have made this a non-issue for the trust.
The NHS is responsible
If an organisation could escape responsibility for data protection by passing it on to a third party, then they would pay a tenner to anyone who'd take the disks away and data protection would be meaningless.
The chief executive of the NHS trust said "We were the victims of a crime". They weren't. The police have decided to take no action against the contractor. He received the disks lawfully and then didn't destroy them, which was merely a breach of contract. Perhaps the fine will help to improve the CEO's understanding of the law and his responsibilities.
A former CEO of mine once said to me that when he was a much more junior manager he used to read through the contents of the to-be-shredded bin to find out what was going on in the company. The lesson was clear: if you have something sensitive that needs shredding, do it yourself.
Destruction of confidental information on hard disks is something that is sufficiently important and happens sufficiently infrequently that the responsible manager should be witnessing it himself.
I'll buy they didn't intend to have drives with data flogged.
Then again, irresponsibility of a (sub)contractor doesn't absolve you from having to care for the data on the hard drives. Or at least it really should not. That is how responsibility and delegation (through outsourcing) works. That this is risky ought to be evident.
So I think I'll support both the notion of "proposing" that fine, and the notion of the NHS not having to pay all of that, given that they acted quickly and gotten all the media back. What's happened with the data is probably for the police to sort out.
They should probably learn that the only way you can be sure the wiping gets done is to do it yourself (and even then...) before handing the kit to the cheapest bidder. Or, you know, watch the drives get tossed into an industrial shredder (and inspect the results), or to dissolve them in a blast furnace, or something.
In the end, this way of ensuring privacy just isn't very tenable; it doesn't scale. Therefore we'll need better ways to handle personally sensitive information. Too bad the NHS has to bear the brunt of it as they weren't too great with this automation thing to begin with. We'll keep on seeing things like this until well and truly fixed and I expect it to be fixed, well, never in the case of the NHS as it currently exists, and they're not the only ones with that problem.
Why are the ICO so quick to throw huge fines at councils and (now) the NHS? But they dare not go near big corporations?
In this case the NHS followed the rules and paid for secure destruction. They got screwed over.
Councils and the NHS have far more data about individuals than companies do. The NHS has all your medical records (obviously). The council will have details of complaints you've made, complaints made about you, council tax payment details, the property you live in, what benefits you receive etc. Most of the council information is available to huge numbers of council workers. Go to a council walk-in centre and the people there will have access to it.
Asda, on the other hand, knows what food you eat and recognises that this information is valuable. It therefore takes steps to ensure it is protected. No one at your local store (including the store manager) will have access to it. Fewer people with access means fewer opportunities to disclose or lose the data.
If you have a specific example of a big corporation being let off the hook by the ICO then why not tell us who it was instead of the generic "big corporation" complaint?
credit card application forms ?
"a specific example of a big corporation being let off the hook by the ICO "
credit card application forms ? They have everything a fraudster might want.
You do remember the case in 2008 where a server used for processing credit card applications for Amex, NatWest, and RBS was sold off on fleaBay, while still containing images of the paper application forms, don't you? The individual who bought the server was Andrew Chapman, the subcontractor doing the processing was called Graphic Data.
e.g. http://www.zdnet.co.uk/news/security-management/2008/08/26/amex-rbs-natwest-customer-details-sold-on-ebay-39465455/ and
I can't remember what (if anything) the ICO did about it, and (oddly enough) the popular search engine also doesn't easily find any reports of what action they took. Perhaps someone else can find something, as absence of evidence of action is not evidence of absence of action.
But until someone produces details of what the ICO did in this case, I rate this one as "big corporations being let off the hook"
And that's one of the rare ones that made it as far as the press. M'learned friends working on behalf of the private sector and in particular finance companies usually work better and more rapidly than they did in Andrew Chapman's case.
I'm sure there are plenty more examples, but I have other ting to do.
As others have already noted, the way to get folks attention to detail to prevent cases like this is to hold the Chief Executive (or similar) personally responsible. After all, when things are going well, they pay themselves as though the success was their personal doing. So when they let things go wrong, surely the same principle should apply.
> If you have a specific example of a big corporation being let off the hook
1.) BT and Phorm
2.) BT and ACS:Law (when details were provided unencrypted against the demands of a court order)
3.) The entire media according to one witness at the Leveson inquiry
4.) Google and their wifi Streetview tricks
5.) Lush (see http://www.computerweekly.com/news/2240105315/ICO-failure-to-punish-Lush-for-data-breach-sends-wrong-message)
Finally given Vodafone's and 3's attitude towards Bluecoat and illegally sharing our personal data with them it's fairly clear that they don't think that they have anything to fear from the ICO. For some reason ISPs keep on managing to get a 'get out of jail free' card.
Need any more examples?
Monetary penalties where only introduced in April 2010 so anything before that could not have resulted in a fine.
Individuals could get compensation, but the ICO never had the power to impose monetary penalties.
You will have so find something more recent than that.
Finally, all the parties involved in that incident where found to be in breach and had to sign an undertaking not to do it again. That was the limit of the ICO powers at that time. If it happened today then they would probably be fined.
1) Pre 2010 no fines possible
2) ACS:Law was fined by the ICO in May 2011
3) Ongoing investigation
4) Intercepting WiFI comes under RIPA and not the DPA
5) Lush was hacked.
1.) So what about Talktalk and their homesafe product in use today? What about 3 and Vodafone's use of Bluecoat? It started with Phorm but spread to other ISPs and shows no sign of stopping. And it will never stop as long as the ICO continues to do nothing about it.
2.) And it was BT that breached the court order, not ACS:Law. BT were the ones faced with the court order, not ACS:Law, and they are the ones ultimately responsible for failing to comply with it. However in that case the ICO preferred to gut the DPA rather that enforce it. A sad, but nonetheless predictable outcome.
3 & 4) Fair enough.
5.) If it's a result of poor security then it doesn't matter if they were hacked or not - they failed to adequately secure customer data and should be punished for that failure.
1) What about TalkTalk? Has the ICO received a complaint? Why not list every company you have a gripe with? Alternatively you could look at the ICO site and find out for yourself if a complaint has been raised.
2) Breach of a court order is not the same as a breach of the DPA.
5) It was a sustained hacking attack, not poor security.
The ICO needs to receive a complaint before it will even consider stopping illegal action?
They are definitely aware of Talktalk's homesafe product, as Talktalk themselves have previously mentioned conversations with the commissioner over claims in regards to the system, but the ICO has failed to do anything about it.
Incidentally my own communications with the ICO on another matter indicate a complete lack of any technical knowledge on the part of the people working there. They do not seem to understand that something like a URL could contain personal information that could be used to identify the user (http://www.dummywebsite.com/?name=joe&lastname=bloggs as a basic example), thereby presumably making URLs entered by users personal data that should be protected by the Data Protection Act.
This should not really come as a surprise though given the lack of people working at the ICO that have any knowledge of how technology works and how it can be abused.
Nevertheless it should make for an interesting follow up email to INFSO (the part of the EU commission that has been dealing with PECR-related issues in the UK). If previous failures to act are anything to go by then the ICO will probably decide to not do anything about my case, and I can then give INFSO my own example of how privacy is still being ignored in the UK. Perhaps if enough people complain we can even get the commission to re-open the court case that it has pending against the government here for failing to properly implement PECR.
Hold up. "Certifed contractor"
I *really* hate to say this.
*If* the con-tractor (and given their behavior that is the right way to pronounce the word) agreed to *destroy* the drives to the relevant British Standard (industrial shredder ?) *they* are in breach of contract and flat out lying about where the hardware is going.
It's a breach of contract (unless the contract is *very* slack. Not impossible given NfIT) and the NHS were acting (for once) in good faith.. Visits from NHS lawyers, Police and the local council Trading Standards staff shoudl all be happening.
This little scam has even been played with crematoria in the US, when the owners realized they could just charge for the gas and stick them in the ground out back.
Further to this, all contractors I know have Indemnity Insurance in excess of £1m. None of the agencies i've seen will engage a contractor who doesn't have Indemnity insurance, and that is for Indviduals working through a limited company, not even companies with several employees providing services such as data destruction who need far more coverage.
Re: Hold up. "Certifed contractor"
> *If* the con-tractor [...] agreed to *destroy* the drives [...] *they* are in breach of contract
The issue here however is not one of a breach of contract, but one of falling foul of the Data Protection Act.
I imagine that the question that must be answered in order to determine responsibility is who was the custodian of said records at the time they were compromised.
It's a sad fact that the NHS might have been caught on a technicality when by the looks of it they were trying to do everything by the book. It's sadder still to see the ICO go after them and instead look the other way when big business is involved (credit card companies, banks, Phorm/BT [primarily a RIPA violation, but there might have been DPA issues as well], Google, etc., etc.).
That was an hour north of where I live. The funny part was that it was simply lazyness...with a little extra effort, they could have sold the coffins off as pre-owned. Instead, they just stacked the coffins like boxes...
What do they mean by registered contractor? Registered with whom?
From the sound of it they are talking about an individual and not an organisation. In other words one of the IT contractors they use said "I can destroy them for you for £X per drive" to which the Trust said "yes".
If that is the case then there is some justification in the fine as they should have ensured the individual concerned did actually destroy them.
There really is no justification, just no bad faith (or so it seems).
Using contractors should be irrelevant, they had the data, the HDDs went on sale, guess who is going to pay...
NHS IS responsible
If they decide to subcontract, it is their sole problem, THEY have the legal custody of the data.
They are also victims, but of a different crime, and they should be punished. Depending on the contract, maybe the decision maker should be sacked, or not.
They should, of course, pass the bill to the subcontractor, as the contract should include this. If it doesn't, then sack who signed the contract, without severance pay.
I would agree with that. The ICO is only concerned with who had initial responsibility and who passed that responsibility on to a third-party, in this case the NHS trust. The trust should now seek to recover the costs from the sub-contractor's insurance company as a breach of contract regarding the destruction of the data units.
Oh you mean someone in the trust has a mate of a mate who said he "worked in IT" and would take the drives out to his garage and drill holes in them for a fiver a time? 'Cept he thought he might be a able to get some extra cash from some dodgy people buying them off fleaBay?
Sack the twat who cleared this without checking, the manager and anyone who authorised the payment to the contractor without doing proper due diligence!
"registered contractor "
Shouldn't the Hospitals first response be to complain to the contractor's registering body, then sue for losses and costs incurred consequent to breach of contract. Considering the potential consequences, I do not think the fine was particularly large. The penalty and accrued costs should just be passed back until they reach the guilty party.
The Problem With This
Is that it doesn't really hurt the trust because we the tax payers pay it.
Really the people that should be fined are the directors of the trust, they are supposedly paid to take responsibility for things, so they should suffer the financial consequences, not the patients or for that matter, us the tax payer.
Can't beat a good rant in the morning
Sack someone. As close to the top as you can.
Someone is responsible, and sacking the manager/person in charge is going to send a way stronger signal than squeezing their budget further.
Sadly the ICO probably doesn't have that power...
That'll just mean they collect a huge severence/golden parachute payment (cos people at the top -never- get sacked.. they all agree to depart by mutual consent upon payment of sufficient compensation, bonus, pay in lieu, pension contribution) and immediately walk into a new job as head of the hospital trust down the road.
Need more details..
..does the contractor have all the relevant ISO's (2700x range spring to mind). Was a contract in place for secure data destruction before disposal?
If they followed correct, sensible procedures, then they shouldn't be held responsible.
If they opened the Yellow pages, took out a pin and went you, they'll do, then they are to be accountable. This should be taken out of the CIO's (or whatever they have) wages, not the NHS funds.
This is a notice of fine, not the fine that may be imposed. The Trust is challenging it.
This appears to my mind to be a profile raising exercise by the ICO.
If i read tha rticle right (and elsewhere), and accepting that journos usually only have half the tale, it appears the Trust took all reasonable measures to protect the hard drives by locking them away then contracting a body to destroy them. All in their policy and procedure. A rogue employee is just that, someone who ignores policy and procedure for their own gain or to be malicious. I agree that morally the perp should be penalised but under the DPA the Trust is the data owner and must bear ultimate responsibility. but, like ohter posters I agree that a hefty fine like this would do no good to the NHS. Watch it silently disappear once the Trust challenges it....
Processes and checks
It's entirely possible that the fine isn't entirely related for the data loss itself, but for possibly not having proper procedures and processes in place to audit the subcontactor to ensure that he was doing what he was contracted to do, ie securely destroy the drives.
With HDD prices as they are contractors are going to be tempted.
NHS need to realise that they need to get the basics right like verification and onsite destruction.
Some contractors offer this, they have HDD shredders on lorries. They come in with the lorry your IT guys bring the HDD and tip them in a hopper. They can verify that the HDD were destroyed.
It costs a bit more, but it's peace of mind.
Trust, but verify, the bye words of security these days.
It may well be that the contractor had a contract to destroy harddrives - not knowing what may, or may not, have been on them.
The NHS has a duty to safe guard information, and that cannot be delegated.
A hard lesson to learn, but learn it they must.
One reason that public bodies need to be fined (not that I am happy about it) is that commercial organisations suffer commercially if they cock up and get in the news, as we, the consumers can vote with our feet; where this does not apply to public bodies.
We have used disk destruction services before for sensitive data and I am glad they've had the book thrown at them for not checking the end result.
Ours shredded the disk into a million pieces. If the PCT had followed this - there wouldn't have been any disks to sell on e-bay.
Did you count...
... all 1 million pieces? Or did you get up to 999990 and decide there woudln't be sufficient confidential data on the remaining 10 pieces to bother checking :p
I still think that destroying hardware in order to safeguard the data on it is very wasteful. A securely wiped drive won't give up data to less than extreme recovery methods - even the most basic wipe of the drive (raw device rather than file system) will make data inaccessible for most purposes, and the drive is then available for re-use. Given the current price of drives and the constant budget pressures in organisations like the NHS it's almost irresponsible /not/ to sell them on.