The Information Commissioner’s Office (ICO) has fined a nursing home in Northern Ireland for a serious data protection breach after an employee’s laptop was stolen. Whilst the penalty imposed in this case was £15,000, the ICO says a bigger organisation can expect to receive a much larger fine if it fails to keep personal information secure.
The ICO upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act (FOIA) 2000, Environmental Information Regulations (EIR) 2004 and Privacy and Electronic Communications Regulations 2003. It has, amongst other powers, the power to impose a monetary penalty on a data controller of up to £500,000.
Nursing home breach
In the case of Whitehead Nursing Home (the Home), a member of staff took an unencrypted work laptop home, which was stolen during a burglary overnight. The laptop contained sensitive personal details relating to 46 staff, including reasons for sickness absence and information about disciplinary matters. It also held details about 29 residents of the Home, including their date of birth, mental and physical health and ‘do not resuscitate’ status.
The ICO reported that their investigation “revealed major flaws in the nursing home’s approach to data protection. Employees would have expected any details about disciplinary matters or their state of health to have been kept safe. Likewise, residents would not have expected their confidential information to have been stored on an unprotected laptop and taken to an employee’s home. Whitehead Nursing Home had totally inadequate provisions for IT security and procedure and poor data protection training.”
The ICO found that Home should have had policies in place regarding the use of encryption, homeworking and the storage of mobile devices and should have provided data security training for staff.
The ICO have said they are keen to show that they can and will act against organisations which they believe are not taking their data protection obligations seriously.
What should organisations be doing to ensure compliance and avoid penalty?
- Conduct a risk assessment of the personal and sensitive personal data that the organisation and its employees hold. The risk assessment should include analysing the number of people who have access to such data, the nature of the organisation’s computer systems and hard copy data, the extent of employee access to personal data and the level of personal data held by any third party on the organisation’s behalf.
- Appoint a person or team to deal with the risk assessment, putting in place security measures in respect of personal data, in particular sensitive personal data, and checking that security procedures are being followed.
- Ensure that there are adequate safeguards in place to deal with both technical problems, for example requiring devices to be encrypted and password protected, and organisational issues, such as the handling and safeguarding of business devices.
- Implement data protection policies which include the following:
- the proper way to store items containing sensitive personal data, such as a requirement to keep all devices and files out of public sight i.e. not left unattended in a pub or visible in a car;
- where laptops and files may be used;
- how to dispose of notes made on sensitive personal data;
- a requirement to encrypt all devices and use password protection, keeping all passwords out of public sight; and
- a procedure for safeguarding sensitive personal data required by third parties.
- Provide thorough staff training to cover the importance of data protection, alerting employees to the risk of devices or papers containing personal data being stolen or lost if security procedures and policies are not followed.
Following a number of 2011 cases involving the theft of laptops, the ICO deputy commissioner, David Smith, warned that “an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected”. Therefore, it is crucial that, as an employer, the organisation implements a robust data protection policy detailing how to keep all personal data secure, giving even greater care to sensitive personal data, and that all employees receive training on the importance of data protection and how to implement the organisation’s safeguarding procedures.