The nursing and midwifery regulator has been fined for breaching the Data Protection Act.
The Nursing and Midwifery Council was set up by Parliament to protect the public by ensuring that nurses and midwives provide high standards of care to their patients and clients in England, Wales, Scotland, Northern Ireland and the Islands. It has been issued with a £150,000 civil monetary penalty by the ICO (Information Commissioner's Office) for losing three DVDs relating to a nurse’s misconduct hearing. The disks contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the disks were not present, although no signs of tampering were evident. Following the security breach, the council carried out extensive searches to find the DVDs, but they have never been recovered.
Deputy Commissioner and Director of Data Protection David Smith, said: “The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.”
Mr Smith issued a general warning to organisations to review their policies on how personal data is handled. “It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected," he said.
“I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case? If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.”
