|Loss of sensitive personal data (medical and details relating to legal proceedings).
|Unspecified but small number of records including two vulnerable children’s details. Details and allegations against a medical practitioner.
|07 October 2011
|In an echo of the infamous HMRC breach of 2007, three DVDs containing unencrypted data relating to a ‘fitness to practice hearing’ went missing somewhere between the Nursing and Midwifery Council’s offices and the hotel where the hearing was due to take place. Although the package was sent by courier, the data on the DVDs was unencrypted.
|Two of the fundamental lesons that every Data Controller should have learned from the HMRC breach were:
Although the Nursing and Midwifery Council use a courier, the sensitive personal data was not encrypted. As soon as anything went wrong, enforcement action was bound to follow.
|Monetary penalty of £ 150,000
|12 February 2013
Why the regulator acted
|Breach of act
|Breach of the seventh principle: the Council failed to take appropriate organisational measures against unauthorised processing of personal data, such as encrypting the data on the DVDs.
|Known or should have known
|The Council was used to dealing with sensitive data and was aware of the potential damage release of the data would cause. The Commissioner also highlighted his own guidance on the encryption of portable media, dating back to 2007.
|Likely to cause damage or distress
|The DVDs contained the medical information of third parties, including two vulnerable children. The Commissioner repeated his usual argument that data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may be further disseminated and possibly misused.
|Receiving the report of DVDs that appeared to go missing between a sender and recipient will have caused a stressful outbreak of déjà vu in Wilmslow. Although the data lost related to very few individuals, the sensitivity of the data had a bearing on the amount of the penalty. Organisations should be under no illusions that sending any unencrypted personal data on physical media will attract a monetary penalty.
|View PDF of the Nursing and Midwifery Council Monetary Penalty Notice (Breach Watch Archive)
|View PDF of the Nursing and Midwifery Council Monetary Penalty Notice (Via ICO Website)