I agree with the sentiment.

The problem with this is that the shitbag will have done this a) in name of the NHS (as in will have been working for them at the time, probably still) and b) in good faith, believing the salespitch of fully privacy-ensured data deletion and buzzword buzzword buzzword buzzword, guaranteed! Think middle manager and how such positions attract pointy hair something fierce.

In the end, the NHS will, as it logically must, still end up with the buck for this. It would be nice to be able to pass fines like that on, but I doubt they made sure they could when they signed the contract, so probably not.

As such, the ICO really should not be listening to "but it wasn't me, guv!" arguments. Think about it. What would happen if they did? Then it'll always be someone else that "did it", and stupidity like this will remain unpunished as long as everyone in the chain can find someone else to point to. It's the NHS's ultimate responsibility to care for the data. So it's them that get fined.

An end to the culture of sub-contracting

all the public service functions, would make it a lot easier to hold people to account when things go wrong.

Flog your services off to the lowest bidder, and they'll do a shit job, but you won't be to blame and the NHS can pick up the fine - yeah, I can see why this is so popular.

Whilst I agree with the principal of the original point, I feel that the proper process here should be that the Trust takes the fine, and subsequently sues the subcontractor for breach of contract, plus whatever else is applicable and recover the cost of the fine.

As I see it, the trust is responsible for the data, as it was the organisation the data was given to, and the subcontractor is responsible for keeping to their agreed contract. Therefore the Trust has to take the hit for the data breach and should recover losses from the subcontractor for the contract breach.

However, IANAL.

In the end, though

Surely it is the responsibility of whoever subcontracted the work to ensure that there was a proper audit trail of what happened to the disks after they left NHS premises, and adequate proof that they were being destroyed.

If they failed to do this, and the drives we put up for sale then it is entirely their fault.

If, however, the discovery that the drives were being put up for sale was a result of proper audit procedures, then they should be entirely in the clear.

If you have sensitive information that is covered under the DPA, you can't just hand it onto someone else with the promise that they will destroy it for you - you must have proof that this is happening.

In the end the NHS is still responsible.

The NHS cannot simply say "lookit, 'twasn't us, 'twas dem that we gave the problem to." The NHS still has to answer to the ICO. They must then go to the subcontractor and sue them for breach of contract (to the tune of that fine and a wee bit more, say).

Of course it is skewed that had nobody noticed, no fines would've been handed out, and moreover that now that they've been right quick preventing the data from actually getting flogged off, they face a fat fine. It's too easy to see that as a fine for doing your job, though apparently a few downvoters do.

So I agree some leniency for quick action is warranted. But that's not the same as "entirely in the clear"; they're still responsible for what happened to the data. There really is no way around that without the ICO risking letting itself be led down the garden path. (Disagree? Show how.) Quite possibly the ICO cannot even fine the subcontractor --really, whatever for?--, so they have no choice but to fine the NHS.

So the NHS, and for that matter anyone dealing with sensitive data, better learn to make sure they can indeed pass on that fine to the subcontractor, by including "you pay our ICO fines should anything go amiss" in the contract.

In fact, were I the NHS I'd put that and more in, then beg the ICO to double the fine so as to smash crooked contractors into oblivion. Do you see another way to do it?

Any decent lawyer ...

... would have had a clause in the contract saying "if you, by action or inaction, make us liable for fines under the DPA or other legislation, you will be paying the fine and all our costs". That this wasn't done suggests that the idiots at the health authority/trust accepted a standard form contract stuck under their noses by the company. Now they need to spend more time and money on suing the firm. Sad for the provision of healthcare in the affected area, but people only learn from mistakes.

At some point I'm sure these organisations will just work out that it is cheaper to run whole disk encryption.

The NHS *always* has ultimate responsibility.

That's just how delegating a task works: You tell someone else to do it, and they answer to you for how they'd done it. You don't lose responsibility for how the task is done. So even if there are effective pass-the-buck clauses in the paperwork, the news would still be "NHS gets fined".

And yes, ultimately it's the patients that suffer. That, too, is the responsibility of the NHS.

The point? The point is that the ICO says "don't do that!" out loud enough for people to take notice. Whether that ultimately works is another matter, but not for the ICO to sort. They have their hands full with people in government and elsewhere doing boneheaded things with data enough as it is already. Still, it is a good question, and one that does need sorting. Write your MP today about it.

I have no telly so I have no idea what your example is on about. If you order someone to roof your house, they answer to you how they do that, and you bind them to that through a contract to build. If you don't have that you fall back on existing law, which may or may not protect you. Getting ripped off usually means someone having found loopholes in law and/or contracts (or written them in themselves) and abusing them, sticking you with the bill.

The NHS is entrusted with data, they put it on hard drives, so it's their responsibility to ensure it doesn't go walkies when they'd like to dispose of the hard drives. They don't lose that responsibility (that the ICO can rap them for) even if they contract out the wiping. So in that respect they are not, cannot be, innocent. Protecting that data is their job, pure and simple.

And yes, the NHS really should have, in writing, not merely "I want this data destroyed" but also "and YOU get our ICO fines if you fail us". If not, they get fined for failing to care for the data --they gave it away and the contractor turned out crooked-- and get stuck with it for failing to put into the contract the right to pass on the fine to the contractor.

As responsibilities go, this is how it works. Having tried and apparently succeeded to get the drives with the data back in time should get you some leniency, so the height of the fine is probably more than a bit frustrating for the NHS. Unless they can pass it on, of course.

The big problem with this fine is it's going to mean a return to the IBM / CapGemini / WAACTW getting all the contracts just so managers have their arse covered.

The contractor was not the Data Controller ...

... and so, for the purposes of the Act, isn't responsible. They could (and should) be made liable through private law routes, though.

Better drafting of the contract would have made this a non-issue for the trust.

The NHS is responsible

If an organisation could escape responsibility for data protection by passing it on to a third party, then they would pay a tenner to anyone who'd take the disks away and data protection would be meaningless.

The chief executive of the NHS trust said "We were the victims of a crime". They weren't. The police have decided to take no action against the contractor. He received the disks lawfully and then didn't destroy them, which was merely a breach of contract. Perhaps the fine will help to improve the CEO's understanding of the law and his responsibilities.

A former CEO of mine once said to me that when he was a much more junior manager he used to read through the contents of the to-be-shredded bin to find out what was going on in the company. The lesson was clear: if you have something sensitive that needs shredding, do it yourself.

Destruction of confidental information on hard disks is something that is sufficiently important and happens sufficiently infrequently that the responsible manager should be witnessing it himself.

Because..

Councils and the NHS have far more data about individuals than companies do. The NHS has all your medical records (obviously). The council will have details of complaints you've made, complaints made about you, council tax payment details, the property you live in, what benefits you receive etc. Most of the council information is available to huge numbers of council workers. Go to a council walk-in centre and the people there will have access to it.

Asda, on the other hand, knows what food you eat and recognises that this information is valuable. It therefore takes steps to ensure it is protected. No one at your local store (including the store manager) will have access to it. Fewer people with access means fewer opportunities to disclose or lose the data.

If you have a specific example of a big corporation being let off the hook by the ICO then why not tell us who it was instead of the generic "big corporation" complaint?

credit card application forms ?

"a specific example of a big corporation being let off the hook by the ICO "

credit card application forms ? They have everything a fraudster might want.

You do remember the case in 2008 where a server used for processing credit card applications for Amex, NatWest, and RBS was sold off on fleaBay, while still containing images of the paper application forms, don't you? The individual who bought the server was Andrew Chapman, the subcontractor doing the processing was called Graphic Data.

e.g. http://www.zdnet.co.uk/news/security-management/2008/08/26/amex-rbs-natwest-customer-details-sold-on-ebay-39465455/ and

http://www.theregister.co.uk/2008/08/28/data_bank_details/

I can't remember what (if anything) the ICO did about it, and (oddly enough) the popular search engine also doesn't easily find any reports of what action they took. Perhaps someone else can find something, as absence of evidence of action is not evidence of absence of action.

But until someone produces details of what the ICO did in this case, I rate this one as "big corporations being let off the hook"

And that's one of the rare ones that made it as far as the press. M'learned friends working on behalf of the private sector and in particular finance companies usually work better and more rapidly than they did in Andrew Chapman's case.

I'm sure there are plenty more examples, but I have other ting to do.

As others have already noted, the way to get folks attention to detail to prevent cases like this is to hold the Chief Executive (or similar) personally responsible. After all, when things are going well, they pay themselves as though the success was their personal doing. So when they let things go wrong, surely the same principle should apply.

Re: Because..

> If you have a specific example of a big corporation being let off the hook

Phorm

@AC 09:43

1.) BT and Phorm

2.) BT and ACS:Law (when details were provided unencrypted against the demands of a court order)

3.) The entire media according to one witness at the Leveson inquiry

4.) Google and their wifi Streetview tricks

5.) Lush (see http://www.computerweekly.com/news/2240105315/ICO-failure-to-punish-Lush-for-data-breach-sends-wrong-message)

Finally given Vodafone's and 3's attitude towards Bluecoat and illegally sharing our personal data with them it's fairly clear that they don't think that they have anything to fear from the ICO. For some reason ISPs keep on managing to get a 'get out of jail free' card.

Need any more examples?

Monetary penalties where only introduced in April 2010 so anything before that could not have resulted in a fine.

Individuals could get compensation, but the ICO never had the power to impose monetary penalties.

You will have so find something more recent than that.

Finally, all the parties involved in that incident where found to be in breach and had to sign an undertaking not to do it again. That was the limit of the ICO powers at that time. If it happened today then they would probably be fined.

1) Pre 2010 no fines possible

2) ACS:Law was fined by the ICO in May 2011

3) Ongoing investigation

4) Intercepting WiFI comes under RIPA and not the DPA

5) Lush was hacked.

@AC 14:35

1.) So what about Talktalk and their homesafe product in use today? What about 3 and Vodafone's use of Bluecoat? It started with Phorm but spread to other ISPs and shows no sign of stopping. And it will never stop as long as the ICO continues to do nothing about it.

2.) And it was BT that breached the court order, not ACS:Law. BT were the ones faced with the court order, not ACS:Law, and they are the ones ultimately responsible for failing to comply with it. However in that case the ICO preferred to gut the DPA rather that enforce it. A sad, but nonetheless predictable outcome.

3 & 4) Fair enough.

5.) If it's a result of poor security then it doesn't matter if they were hacked or not - they failed to adequately secure customer data and should be punished for that failure.

1) What about TalkTalk? Has the ICO received a complaint? Why not list every company you have a gripe with? Alternatively you could look at the ICO site and find out for yourself if a complaint has been raised.

2) Breach of a court order is not the same as a breach of the DPA.

5) It was a sustained hacking attack, not poor security.

@AC 16:11

The ICO needs to receive a complaint before it will even consider stopping illegal action?

They are definitely aware of Talktalk's homesafe product, as Talktalk themselves have previously mentioned conversations with the commissioner over claims in regards to the system, but the ICO has failed to do anything about it.

@AC 16:11

Incidentally my own communications with the ICO on another matter indicate a complete lack of any technical knowledge on the part of the people working there. They do not seem to understand that something like a URL could contain personal information that could be used to identify the user (http://www.dummywebsite.com/?name=joe&lastname=bloggs as a basic example), thereby presumably making URLs entered by users personal data that should be protected by the Data Protection Act.

This should not really come as a surprise though given the lack of people working at the ICO that have any knowledge of how technology works and how it can be abused.

Nevertheless it should make for an interesting follow up email to INFSO (the part of the EU commission that has been dealing with PECR-related issues in the UK). If previous failures to act are anything to go by then the ICO will probably decide to not do anything about my case, and I can then give INFSO my own example of how privacy is still being ignored in the UK. Perhaps if enough people complain we can even get the commission to re-open the court case that it has pending against the government here for failing to properly implement PECR.

Re: Hold up. "Certifed contractor"

> *If* the con-tractor [...] agreed to *destroy* the drives [...] *they* are in breach of contract

The issue here however is not one of a breach of contract, but one of falling foul of the Data Protection Act.

I imagine that the question that must be answered in order to determine responsibility is who was the custodian of said records at the time they were compromised.

It's a sad fact that the NHS might have been caught on a technicality when by the looks of it they were trying to do everything by the book. It's sadder still to see the ICO go after them and instead look the other way when big business is involved (credit card companies, banks, Phorm/BT [primarily a RIPA violation, but there might have been DPA issues as well], Google, etc., etc.).

true.

That was an hour north of where I live. The funny part was that it was simply lazyness...with a little extra effort, they could have sold the coffins off as pre-owned. Instead, they just stacked the coffins like boxes...

Justification

There really is no justification, just no bad faith (or so it seems).

Using contractors should be irrelevant, they had the data, the HDDs went on sale, guess who is going to pay...

I would agree with that. The ICO is only concerned with who had initial responsibility and who passed that responsibility on to a third-party, in this case the NHS trust. The trust should now seek to recover the costs from the sub-contractor's insurance company as a breach of contract regarding the destruction of the data units.

Oh you mean someone in the trust has a mate of a mate who said he "worked in IT" and would take the drives out to his garage and drill holes in them for a fiver a time? 'Cept he thought he might be a able to get some extra cash from some dodgy people buying them off fleaBay?

Sack the twat who cleared this without checking, the manager and anyone who authorised the payment to the contractor without doing proper due diligence!

Sack them...?

That'll just mean they collect a huge severence/golden parachute payment (cos people at the top -never- get sacked.. they all agree to depart by mutual consent upon payment of sufficient compensation, bonus, pay in lieu, pension contribution) and immediately walk into a new job as head of the hospital trust down the road.