I don't get it, all these employ a specialist etc etc etc. All they need to do is to get a tech to hit each drive a half dozen times with a sledgehammer. The platter shatters into bits so you'll never get data off of it, much cheaper and harder to avoid.
NHS fights record £325k ICO fine after clap records appear on eBay
An NHS Trust is disputing a record fine the Information Commissioner's Office has levelled on it for leaving tons of data on patients and staff on hard drives that were sold on eBay instead of being destroyed. Brighton and Sussex University Hospitals NHS Trust was served a civil monetary penalty of £325,000, the highest handed …
-
-
Wednesday 6th June 2012 08:17 GMT LarsG
Tax payer to Government to NHS to Government funded by the Tax Payer.
Morons managed by idiots overseen by the sub-normal, the NHS IT system.
I love it, the tax payer gives money to Government, the Government give the NHS money, the Government instructs the Courts to take the NHS to task. The NHS is fined and not by much, the money is then given to... The Government. The tax payer then makes up the shortfall.
I suppose MP's need some way to increase their expenses pot, a clever bit of accounting and the Governments appears blameless.
-
Wednesday 6th June 2012 08:28 GMT The BigYin
Re: Tax payer to Government to NHS to Government funded by the Tax Payer.
@LarsG - the drives were taken away by a private contractor under form mad PGI-type scheme which allows the NHS trust to show greater openness and a willingness to be wallet-raped by the private sector (as is government policy). This will all be wrapped-up in a bollocks-speak press briefing and contract.
The contractor will be the lowest bidder with the thinnest margins and thus keen to get any profits anywhere they can, which means flogging stuff on eBay.
One other thing you can bet is that the conrtact will be so one-sided that even if the trust ejects the contractor for such flagrant negligence, they will need to pay compensation for loss of profits (a common clause in PFI deals which is why we have to spunk so much money at our badly run rail system).
I do agree with one thing, fining the NHS is stupid. You fine the contractor and you fire the managers.
-
Wednesday 6th June 2012 08:35 GMT Marty
Re: Tax payer to Government to NHS to Government funded by the Tax Payer.
its just wrong for a gov. department to fine the NHS for something like this... All it does is costs the taxpayer and the actual peoples damaged by the actions of staff money..... It doesn't help the situation.
Find the people responsible and remove them from their jobs. Employ people that do the job properly.
-
Wednesday 6th June 2012 08:51 GMT Bob Vistakin
Re: Tax payer to Government to NHS to Government funded by the Tax Payer.
The police do exactly the same when they're found guilty and "fined", i.e. the money comes from the pool we've paid into via taxes, and after all the middle men have had a nice big bite, goes, err, back into the same pool. Its a farce designed by clever lawyers to ensure no-one in the system really suffers, yet they always benefit financially whilst the PR guys ensure the public thinks its all been sorted. Again, paid for by us.
-
Wednesday 6th June 2012 13:18 GMT cs94njw
Re: Tax payer to Government to NHS to Government funded by the Tax Payer.
There's no incentive to avoid fines. They've got very little money, and they have an incredibly hard time keeping things running.
Now they have even less money, and the situation is now worse.
If you want a deterrent for public sector - fine the directors responsible.
-
-
Thursday 7th June 2012 14:18 GMT I think so I am?
Re: Tax payer to Government to NHS to Government funded by the Tax Payer.
"Employ people that do the job properly."
This is going to be hard when Gov pay's 25-50% below market average for internal techs then remove the gold plated pension. Or outsource to companies that are only profit driven and not driven to supply the best service possible.
The reason why all public needed services should be government run at even or small profit. Paris because that's obviously a dumb idea.
-
-
-
-
Wednesday 6th June 2012 11:17 GMT Wize
Re: At the idea of breaking the platters...
"If someone REALLY wants the data off that drive, they will, even with shattered plates."
Its all about effort required. If someone buys a working disk, there is a chance they will try to undelete what files were on it before.
If someone gets a smashed disk, they probably won't bother going to the expense of recovery.
If its something of value, like military secrets, then it may be worth the cost to the enemy to recover. But if someone wanted a set of hospital files, its probably cheaper to hire someone to hack them.
-
-
-
This post has been deleted by its author
-
Wednesday 6th June 2012 12:12 GMT Anonymous Coward
Hit the drive with a sledgehammer and.... crash the heads, only they'll be parked so it doesn't do a lot save dent the case.
The safest way to destroy a drive is to melt it down. That's not likely, so the alternative is to crack the drive open, remove the platters and then apply a metal file to the surface, then bend it in half, then into quarters, then hit it with a hammer to flatten it, then send the platters all mixed up off to recycling. Takes time but it's safer than a sledgehammer. It's also safer than running magnets over the drives (there's still latent markers on the disks that can be read with the right kit).
-
-
Wednesday 6th June 2012 08:16 GMT sabba
The equation is really rather simple...
...if you can't afford to pay a penalty then:
1. do your job properly in the first place
2. don't try to cover it up again and again
I am not overly sure whether it's failings in the recruitment process within the administrative / managerial side of government departments that ensures this level of incompetence or if people just become lazy / disengaged / demotivated to such an extent that they no longer give a f*@k. Either way something has to change. Perhaps if the fund cannot afford to pay the penalty their chief exec should do the honourable thing and throw him-or-herself on the proverbial sword (perhaps with a ban on their taking up a similar role for the next 5 years).
-
-
Wednesday 6th June 2012 09:14 GMT sabba
Re: The equation is really rather simple...
The 298k plus benefits would certainly reduce the overall outlay. And with regards to his moving on to another trust, that's why I advocated at least a 5 year ban on his taking up other such posts. The number of times these guys 'do the honourable thing' by resigning only to move on to another similar role to do it all again (after using their golden parachute of course).
-
-
-
Wednesday 6th June 2012 08:17 GMT KjetilS
Excuses...
"We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal."
... yeah, that really helps if a regular person says the same thing.
"Sorry officer, I can't afford to pay that fine, so you can't fine me. Pardon me while I get back to breaking the law."
-
Wednesday 6th June 2012 12:30 GMT despairing citizen
Re: Excuses...
If the appeal ends up in front of a judge, the cost is going to be a damn sight higher than £325k.
They don't have a case, they have clearly failed to understand, let alone comply with the relevant legislation. I can see a judge awarding costs on this for NHS stupidity, and wasting time appealing.
Please get the twit CEO out of the office whilst the trust still has some money left.
-
Thursday 7th June 2012 14:50 GMT Intractable Potsherd
Re: Excuses...
I'm not sure that there isn't a case. There is certainly sufficient evidence given to this point to say that the Trust did a good job of maintaining the drives in a safe place, etc. The incompetence comes in at the level of the contractor that allowed a fly-by-night operator to do a job that should have been handled to the highest standards, not the lowest.
I am a little baffled, though, that the drives were allowed out of the building without any form of encryption and/or wiping (even writing random 1s and 0s would be better than nothing). As an earlier commenter mentioned, few people would go to the trouble of trying to get information that has been well scrambled off a drive with no history of where it came from.
Don't get me wrong, someone needs a kicking. I think (on the evidence given so far) that the contractor should be taking the hit for this.
-
-
-
Wednesday 6th June 2012 08:17 GMT Nev
Riiiiight...
""In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal."
Can we try and use that defence for parking and speeding fines too, then?
-
Wednesday 6th June 2012 08:21 GMT Colin Millar
Ridiculous money-go-round
One crat passing tax-payers money to the next crat leaving the first crat with a financial hole that yet another crat will have to fill - what kind of cnut dreamed up this sytstem? Oh yes - yet another crat. I wonder if any of these people actually ever think beyond the end of their own desk?
Big brother would be watching you but he's too busy sharpening his pencils.
-
Wednesday 6th June 2012 12:43 GMT despairing citizen
Re: Ridiculous money-go-round
The purpose of the fine is to make it painful for the budget holder, so that;
(a) they take action to aviod being fined
(b) that heads role, and the next person in charge has his mind sharply focussed the next time somebody suggest tossing out some disk drives
Personally I would like to see directors and officers in the NHS held personally accountable for the fines, but short of that this is as good as it gets.
PS. Nationwide got a base £1.4m fine from the FSA, when the data was stolen from a locked house
-
-
-
Wednesday 6th June 2012 08:28 GMT Nev
Re: ?? in this time of austerity....
Look like he got some nice pay rises too:
http://www.theargus.co.uk/news/8195349.Brighton_hospital_boss_earns_more_than_the_Prime_Minister/
"Duncan Selbie, chief executive of Brighton and Sussex University Hospitals Trust has an annual salary of between £180,000 and £185,000. "
Stepping down in July to head up some Quango:
http://www.theargus.co.uk/news/9634864.Brighton_hospital_chief_stepping_down/
-
-
-
Wednesday 6th June 2012 08:32 GMT The BigYin
This
In buckets. Either they lied or did not properly investigate. Either one I would call gross professional negligence. Heads must roll (with no golden goodbye, pension protection or anything).
Out on the street, just like anyone else.
But this is government luvvie duvvies we are talking about. Just watch, those at the centre will pop-up again as "experts", "thought leaders" or with some other vacuous title.
-
-
-
-
-
Wednesday 6th June 2012 10:43 GMT The BigYin
Re: No fine - just sackings
@MJI - they are all equally important.
The cleaners make sure you don't catch whatever the poor sod next door has.
The nurses make sure nothing bad happens to you and that treatment is administered.
The doctors figure out what that treatment is.
The managers make sure the kit is available for you to be treated.
What should not happen (and you are quite right about) is for a pen-pusher to be mah-hoos-ively overpaid.
If fact, regardless of industry, the people at the top getting paid orders of magnitude more than those at the bottom (who do the actual work) is a serious issue in or society.
-
Thursday 7th June 2012 08:45 GMT MJI
Re: Big Yin
Well I had an operation last year so was in a week.
Nurses were good, but I did not appreciate being woken at 3 in the morning for a blood pressure check and being in agony as the pain killers had worn off - needed morphine to get back to sleep. (few hours after op).
My biggest complaint was lack of communication between staff, and me being trial and error.
-
-
-
-
-
Wednesday 6th June 2012 08:37 GMT keithpeter
How often?
"...and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay."
Sounds expensive, and the original contractor is getting paid, unless they got ebay to remove listings &c
If the contractor had spent the time writing random bits to the hard drives, would anyone have ever known about this? I'm assuming the contractor is off the hook as there was no proper contract.
-
Wednesday 6th June 2012 08:43 GMT David 45
Loads-a-money
It always seems slightly ludicrous to me to fine a public body like the NHS or a local council, as the money ultimately comes out of tax-payers' pockets anyway. Surely there should be a personal come-back against whoever caused the problem in the first place, as a deterrent, otherwise errors will continue. Admittedly, this would probably require additional investigation by the ICO but that's what they're for, presumably.
-
-
Wednesday 6th June 2012 09:51 GMT mccp
Maybe because they didn't have a contract? Presumably the ICO reckons that it's not good enough just to ask someone to get rid of a few hard discs; there should have been a proper contract in place that required that the drives were decommissioned properly.
If there had been a proper contract in place, then the NHS would be in a position to sue the contractor _and_ to defend itself against the fine (IANAL).
-
Wednesday 6th June 2012 11:52 GMT ed2020
Even if nothing was written down there is still a contract in place - there was an exchange of goods/services for payment.
Even if there is no documented evidence of the expected destruction of the drives surely nobody's going to believe the NHS were paying a third party to flog old kit, containing sensitive information, on eBay.
-
-
-
Wednesday 6th June 2012 09:05 GMT Kevin Johnston
Repeating I know but...
As said by many above and on all too many similar articles...
DON'T fine the public body, fire and then prosecute the senior managers. If it involves sub-contractors then prosecute them too.
The lines of responsibilty should be down in written procedures and if you are listed as the person responsible for making sure it works then you take the blame, the marching orders and the legal slap when it doesn't (do not pass Go, do not collect ANY money). The only defence would be to show that people deliberately ignored the process at which point they go onto the bonfire instead.
-
Wednesday 6th June 2012 09:17 GMT Anonymous Coward
@Kevin Johnston Re: Repeating I know but...
Let's not forget the situation where Mr. IT was given verbal orders by some higher-up to skip the bidding process, or rig the bidding process to ensure Contractor X get the contract, because Mr. Higher Up has a coxy relationship (kick-backs from) Contractor X,
Corruption -- it usually goes all the way up to the top.
-
-
Wednesday 6th June 2012 09:48 GMT Ross K
£325k?
£325k? That's nothing. The annual wage bill for a couple of NHS managers maybe...
It's not going to affect the quality of service the NHS provides its' "customers", so I dunno what that mouthpiece is moaning about. I'd be all for multiplying that fine by 10, except that it's the taxpayer who gets shafted in the end.
-
-
Wednesday 6th June 2012 13:04 GMT Dave the Cat
Re: £325k?
Nurses - around 4 nurses pay and pension for one year, depending on experience and length of service
Operations - Again depending on type, roughly 10 heart transplants or 3.5 liver transplants (inc lifetime of aftercare) or 46 Hip replacements,
Other NHS Services - 3066 individual trips to A&E or 13540 GP appointments (no drugs) or Treat 280 severe asthma patients or treat 15 breast cancer patients with Herceptin for one year or treat 9 cancer sufferers in one year with chemo and radio therapies***
That is all.
*** Figures are a few years old now ( < 5yrs).
-
Wednesday 6th June 2012 16:16 GMT Ross K
Re: £325k?
@Soruk:
OK I should have made the sarcasm in my post clearer. There are NHS managers out there making (I nearly used the word "earning"...) more per year than David Cameron or Angela Merkel - a figure of £145k was mentioned by someone earlier...
That's wrong. These guys are doing nothing to improve anybody's lives except their own.
-
-
Wednesday 6th June 2012 12:51 GMT despairing citizen
Re: £325k?
The maximum fine for those regulated by the ICO is £500k, the government probably guessing who was going to be picking up most of the fines chickened out, and did not set it to the FSA standard.
The FSA gets to think of a suitably painful number and demand it as a fine. The most similar case to this was the Nationwide stolen laptop, which earnt them a £1.4 base fine (reduced because they reacted quickly to plug the hole)
-
-
Wednesday 6th June 2012 10:05 GMT wowfood
so let me get this straight
The NHS cocks up, primarily because they don't have the money or staff to keep a propper eye on things. The way to solve the issue is to fine them even more money, so they have even less money to hire reputable companies or staff, which will lead to more cockups and fines.
Its like the idea of giving them a lower budget so they don't have enough doctors, so they wind up paying 10* a normal salary for a temp.
Why don't we just take away all their money, let the system collapse and move to a healthcare system like the USA has, because that's clearly where the government wants us headed.
-
Wednesday 6th June 2012 13:04 GMT despairing citizen
Re: so let me get this straight
The NHS has lots of money, and it is the largest single employer in Europe.
What it lacks is qualitity employees in managerial posts (i.e. it needs less managers, and more management)
It is also worth noting that all NHS IT jobs come with the tag "must have previous NHS experience", despite the track record of failure in NHS IT.
You also end up with managers sending SHOs rather than consultants ("to save money") to see new cancer patients at a comunity hospital (i.e. no backup), and then wonder why they end up in court with the next of kin, and a bunch of barristers.
Consultants maybe expensive, but their hourly rate is less than a barrister! - No Brainer!
So the problem is not number of bodies or size of budget, it is simple competence
-
-
Wednesday 6th June 2012 10:29 GMT Christoph
Asking for it
They locked up the drives for two years, then moved them somewhere else, then looked around for someone to sort them out? Hardly surprising that it went wrong.
If drives with extremely sensitive data were redundant and removed, they should have gone straight to secure destruction.
And surely an NHS region can find enough spare cash to get some gadget that can mangle a disk drive beyond the ability of anyone short of GCHQ to recover data from it.
-
Wednesday 6th June 2012 13:41 GMT Anonymous Coward
Re: Asking for it
"surely an NHS region can find enough spare cash to get some gadget that can mangle a disk drive beyond the ability of anyone short of GCHQ to recover data from it."
Yes, it's called "a PC" (with a CD-ROM or USB boot capability).
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml
http://www.dban.org/
-
Wednesday 6th June 2012 10:48 GMT ukgnome
I worked as a contractor for the NHS a while ago. All end of life kit was placed in storage until it was cost effective to contact the WEEE man. All hard drive had been taken out and when the WEEE man arrived he would shred them on site.
Now I can't speak for other authorities, but the one that I worked for had that policy. Part of the problem is the fragmentation of the NHS. If everyone sat under one roof with a nominated supplier then this wouldn't happen. However this is more likely now that "competition" will be introduced as part of government reforms.
-
Wednesday 6th June 2012 11:11 GMT John Brown (no body)
How feckin' long?
"The Trust decommissioned a number of hard drives back in March of 2008, which were then stuck in commercial storage in a locked room watched by CCTV. Two years later, around a thousand of the drives were moved to Brighton General Hospital and put in a room that could only be accessed with a key code."
WTF were they doing in paid for commercial "secure" storage for two feckin' years?
And of the "around a thousand" which were moved back to local storage, how many were left and still being paid for in storage?
I could probably have bought or built a shredder, destroyed the drives, documented the process and still made a healthy profit just based on the storage costs alone. (you don't think they paid the £5-10 per week we mere mortals can hire storage space for, do you?)
-
Wednesday 6th June 2012 12:14 GMT ZenCoder
Why not securely erase the drives and sell them?
Is their really any way of recovering data from a hard drive that's been overwritten three times by random numbers. Once is enough to prevent any normal data recovery.
Since the write head will be slightly out of alignment on each pass, I suppose if your using a device that is several orders of magnitude higher in resolution you could read the current and an old track, but once its been overwritten three times, it would be a mess of overlapping magnetic fields.
You could write some software that will log the serial number and model numbers reported by the drive after its been securely erased. That way the workers can't get lazy and not process the drives.
-
Wednesday 6th June 2012 12:17 GMT Derichleau
Picking on government agencies again
This is yet another example of how the ICO focuses its resources chasing after government agencies. Contrast this with commercial organisations and the ICO don't want to know. The ICO's record of dealing with commercial organisations is appalling. They can't even carry out an audit against a company without first obtaining permission from the company to do so. And they send out mixed messages all the time. For example, I know for a fact that the ICO will not prosecute for a contravention of the PECR2003. Nor will they prosecute for failing to comply with a section 11 DPA98 request. Yet apparently they're going to kick-ass over tracking cookies? How do they explain the inconsistency?
-
Wednesday 6th June 2012 15:53 GMT Lockwood
Re: Picking on government agencies again
I had a slight rant the first time this came up.
Good that the NHS are challenging it.
To the people who say that heads should roll in the NHS, I ask you why?
You ask me to do a task.
I say that I will do the task.
I get Bob down the pub to do the task.
Bob fails.
You get in deep poopies because of Bob's action.
-
-
Wednesday 6th June 2012 13:52 GMT despairing citizen
Where to start
So no clear ownership of the data management process
Hired "fred in a shed" to carry out work involving S2/DPA98 data
Didn't write a proper contract (therefore probably no transfer of liability and duties with the drives)
Did anybody check that the end party has the appropriate procedures and equipment to dispose of the drives?, do they have the appropriate professional indemnity cover?
There are a lot of people in the NHS with the word "manager" in their job title, yet to meet many people in the NHS that I would call a Manager.
-
Wednesday 13th June 2012 13:49 GMT JasonB
Re: Where to start
The problem with the NHS is quite simply that on-one in authority seems to take confidentiality seriously.
Brighton will have a Data Protection Officer, but you can bet he (or she) is so low on the pecking order that he/she can safely be ignored. Communications Managers and Business partners are paid a small fortune, not to mention all the experts that are hired in as 'consultants' to give ... erm ... advice on stuff.
I've been to one or two seminars with ICO spokesmen there and they take the attitude that if the organisation structure for confidentiality is wrong that will bump up the fine. Might explain the high fines being given to the NHS then.
I'm
-
-
Wednesday 6th June 2012 18:42 GMT Stuart Grout
Pay the fine and go after the contractor
I assume the contractor the NHS was paying was responsible for doing the job correctly.
They failed and landed their customer with a big fine. I'd be very surprised if the NHS couldn't go after the contractor for the fine and any other expense they can think of. Then maybe the contractor would be even more careful about which subcontractor they employed.