Breach details
| What | Sensitive personal data (medical) faxed to an incorrect recipient. |
| How much | 3 records. |
| When | August and September 2011 |
| Why | Three faxes containing just about every category of sensitive personal data were sent to the wrong recipient. This breach of confidentiality occurred despite the trust having both a secure fax environment and appropriate procedures in place which included call-ahead and a requirement to use pre-programmed destinations. The breach occurred because members of staff were unfamiliar with the policy, so didn’t call ahead and manually dialled the (wrong) recipient’s number. |
Regulatory action
| Regulator | ICO | Action | Monetary penalty of £55,000 |
| When | 11 June 2013 |
Why the regulator acted
| Breach of act | Breach of the seventh principle: the trust had insufficient management controls and did not provide the appropriate training for the staff. |
| Known or should have known | The trust was aware that there was risks sending information by fax because it had introduced the safe haven and best practice. It should have known that the best practice guidelines needed to be backed up by training and management controls. |
| Likely to cause damage or distress | The Commissioner’s usual argument that the data subjects, some of who were vulnerable adults, may have suffered distress knowing that their medical data had been read by an unauthorised third party. |