Data Protection - Health Board fined 70K for breach of DPA

Data Protection - Health Board fined 70K for breach of DPA

A Welsh health board has become the first NHS organisation to be fined £70,000 by the Information Commissioner’s Office (ICO) for a serious breach of the Data Protection Act.  The ICO is an independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Any processing of personal information must comply with eight principles set out in the Data Protection Act 1998, including that it is processed fairly and lawfully and in a secure manner.

In this case, a sensitive report containing explicit details pertinent to a patient’s health was sent to the wrong person.  The error occurred because a consultant had emailed a letter to a secretary for formatting without including enough information for the secretary to identify the patient accurately.  A series of errors, including mis-spelling the patient’s name, led to the letter being sent to the wrong individual.

The ICO’s investigation found that neither the consultant nor the secretary had received data protection training and the organisation did not have adequate checks in place to ensure that personal information was sent to the right person.

In addition to paying the penalty, the health board also signed an undertaking to address the ICO’s concerns, including staff training on storage and usage of personal data and regular monitoring of compliance with data protection and IT security policies.

A copy of the ICO press release can be accessed from its website

For further information, please contact Beverley Flynn on

Contact our experts for further advice

Search our site