If the 3rd Party was contracted to securely destroy the data, then surely *he* should be in the frame for any penalties under the DPA...shouldn't he? Wouldn't that be part of any contract between the NHS and their contractors?
But even if my assumption above is wrong and the NHS *does* have ultimate responsibility, the only people punished by this fine would be the patients whose care would suffer for want of those funds. No one learns anything, the cash re-enters the governmental money-go-round and some treatments are cancelled. Where's the point?