The Information Commissioner is proposing to issue its heaviest ever fine for a breach of UK data protection laws. It proposes fining a health body after patient records were stolen from a hospital and sold on eBay. Brighton and Sussex University Hospitals NHS Trust told Out-Law.com that hard drives containing patient data had …
Money go round
If facts are as presented, NHS will charge back the contractor. The contractor will claim on their insurance.
At each step, lawyers will lap up fees.
Insurer will put up fees to NHS contractors.
Contractors will pass increased costs to NHS clients.
And, just, perhaps some NHS execs miss out on gongs in the honours list,
I guess this is what you get for when tendering for services is required, lower prices often result in lower standards
It really is time that much this outsourcing bollox was clamped down on, it leads to a huge number of non productive jobs connected with the contracts while the economies of scale are lost by virtue of supply to individual trusts rather than a huge national service.
Data storage equipment and the management of it should be in the care of the data custodians that way the responsibility cannot be fudged.
As ever policy is driven by the demands of business to suckle at the public funding trough.
On the face of it, it seems unfair to fine the hospital for the behaviour of their sub-contractor. Surely the sub-contractor is the criminal here. That may be the case, but I was in on the meetings when a different NHS group (a PCT in the South West) was selecting 3rd party IT providers. I pointed out that for the same amount of money, they could actually just expand their internal IT support staff and (a) get more actual man-hours for the same amount of money, (b) not introduce co-ordination issues between their internal and external services and (c) actually have people they could directly manage.
After pushing this point for a while and being fobbed off with various flawed justifications, it was eventually put explicitly that if they outsourced their IT support, they would no longer be responsible for it. So yes, maybe the hospital is not at fault. But I have seen active and deliberate avoidance of responsibility be the motivating factor in purchasing decisions in the NHS. Between attitudes like that and the attempt by New Labour to sell the entire NHS off to private industry, it's a tribute to the actual medical staff that it's still actually running!
Most commentators seem to think that the NHS have been wronged here by the contractor. However, when RBS had a similar thing happen with a subcontracted data processing company having servers stolen by an employee and flogged on ebay, commentators were queuing up to slag off RBS because "it was their fault".
commentators slagging off RBS because "it was their fault".
It may not have been Amex/NatWest/RBS's fault, but it was their data and their responsibility.
That's exactly the point. The appropriate contracts were in place, with penalties and audits. The servers were waiting in a lockup for secure destruction. An employee of the supplier took it upon himself to use his access to the lockup to steal the machines and sell them. This is hardly RBS' fault, and nothing they could have had control over, which is very much the case here.
It doesn't matter that "it wasn't their fault".
It was undeniably their responsibility. The fact that they chose to sub something out to someone who turned out not to be trustworthy is relevant only to the lawyers, who shall be first against the wall when the revolution comes.
Whatever the money-chasing lawyers might want you to believe, an organisation cannot absolve itself of the responsibility for having a job done simply by shuffling some paper and moving some money.
Public vs Private
There seems to be a trend here.
The ICO grow a pair when it comes to hunting down Councils, NHS and other public sector organisations commiting data offences. Nice easy targets.
But should the offence involve a private corporation, I'm yet to see anything but "advice given" or token fines that are, in relative terms, pocket money.
This is where we have the well known siblings, Accountability and Responsibility.
The data destruction was tasked to a contractor. They were /responsible/ for the data breach.
The paperwork to authorise this work and sign the equipment off of the asset register to the contractor for the purposes of destruction was performed by the NHS Trust. They were /accountable/ for the data breach.
This is a useful distinction to note - I've been in many a discussion on accountability and responsibility when it comes to being in an authoritative position. As the accountable person, questions may be asked of you, however if you were not responsible for the (in)action, you are not liable.
I would see the contractor getting into some serious trouble over this, with the NHS being given a bit of a telling off being told to use better judgement in who it chooses to make responsible for such things.
Given the requirement for more and more documentation with the CQC and the very long running "If it's not written down then it didn't happen", there must be a policy to deal with data desctruction and a fully auditable trail that can track the equipment coming in to the NHS, through the NHS and out of the NHS to the contractor.
Another easy kill for the ICO
Yet another example of how the ICO comes down hard on government agencies. The NHS can't fight back as they must comply with the DPA98. What about the tens of thousands of commercial organisations that incessantly abuse data protection laws... when is the ICO going to start getting tough on them? The fact is, if you're processing personal data and you've not notified the ICO, and you're not exempt from notification, then you're committing a criminal offence. What's the ICO doing about these criminals? NOTHING!
I want to see similar fines handed out to commercial organisations the break the law. It's time the Information Commissioner grew a pair.
Begs the question...
...why the fuck the public sector needs to line the pockets of the private sector for a job like this?
Why doesn't the Trust buy the equipment necessary to destroy the disk? It's only a few grand. After 25/50/100 disks it's paid for itself anyway. The mechanical machines are not rocket science to operate - they give the job of turning the handle to the lowest cost member of staff they can find.
The NHS are responsible and should be fined, They in turn should sue the contractor for the entire sum + all costs. That is correct procedure, they should not be winging.
If the contractor is too small and cant pay then the NHS is out of pocket but that is their own fault, for using sub par contractors. the lowest price is not always the best solution.
Always ensure your contractors have indemnity insurance! (PI) if they don't, they can't do the job.
how much wud it have cost nhs, to get someone, kit him her with a torx screwdriver set for less than a fiver off ebay(lol) and a hammer. dismantle the drives and pop out the platters and wipe with a magnet, and then mash em up with said hammer/.......
Time to be downvoted ....
...... as while the public will pay the fine the NHS were responsible, they collated and compiled the data so should not have let it out of their sight when it was so easy to access.
While we aren't the most modern shop here we always run drives through killdisk a couple of times before passing them for disposal. Yes, the most determined person in the world may be able to revert what we did in order to obtain files, but it at least proves that we made an effort to make sure we aren't passing easily accessable info to 3rd parties.
Never mind that, who is going to pay for the removal of my defective breast augmentation implants? Private or public sector?
... or it didn't happen!
Any chance of clarifying what "registered contractor" means in this context? It has the feel of weasel words to allow the guilty party/parties to try and deflect the blame.
If the "registered contractor" was employed by the NHS trust in an internal position, I can see why the NHS have been fined and they may be able to pursue the costs from the contractor's insurance.
If the "registered contractor" was either a employee of an external asset disposal contractor or a contractor at an external asset disposal company, I would expect that the data disposal company would end up with the costs.
The interesting thing is that the "registered contractor" has been questioned by police and no charges laid. That suggests there was no paper trail to protect the innocent.
As a WAG, maybe the "registered contractor" was the mate of an IT manager who was getting rid of them on the cheap and ended up in a bad place....
Left Hand, pay Right Hand
This is a pointless exercise.
Come on, my company could do a better job of data wiping than that
even though our WEEE records are in Excel, our wiping software is DBAN and our procedures are in my head. (We're quite a small operation.)
Data deletion Device
It seems it would not have been impossible to have wiped the disks BEFORE they left the Trust computers. The Chief Exec and whoever decided NOT to wipe the drives should be sacked.
why not in-house?
I'm not sure whether this became almost inevitable in the days of contracting out many things coupled with saving money in every way possible. However, I'm not sure how the costings would play out if the disks were wiped to certain standards within the NHS, and then they could be merely re-distributed down the line to machines that could still usefully need hard disks of this size: that way, the responsibility firmly remains within the NHS, and the fate of the disks lies with people who are still firmly within the NHS.
How absurd! Who do you think will have to pay? The penalty should be personal on the chief executive. Then we'll see action to stop this sort of loss.