|Inappropriate disclosure of sensitive personal data.
|28 March 2011
|On 45 occasions over a number of weeks inpatient lists were accidentally faxed to a member of the public, when it was believed they were bring faxed to the appropriate number. Procedures were in place to confirm the arrival of faxed lists, however miscommunication meant that only one reception of the lists was being confirmed, while a second fax number actually belonged to a member of the public.
|Monetary penalty of £ 90,000
|21 May 2012
Why the regulator acted
|Breach of act
|Inpatient lists faxed to incorrect recipients. Lack of sufficient policies to prevent such an event. Inappropriate organisational and technical measures.
|Known or should have known
|Staff were used to dealing with impatient data and were aware of its sensitivity, hence having fax protocols.
|Likely to cause damage or distress
|Medical data of patients.
|This was the first Monetary Penalty Notice to be appealed to the Information Tribunal. The appeal was heard in December 2012 and the decision released on 15 Jan 2013. The appeal was rejected.
|View PDF of the Central London Community Healthcare NHS Trust Monetary Penalty Notice (Breach Watch Archive)
|View PDF of the Central London Community Healthcare NHS Trust Monetary Penalty Notice (Via ICO Website)
|View PDF of the Information Tribunal Decision.
|An analysis of the tribunal decision at the Panopticon blog. (Interestingly barristers from 11KBW acted for both the Commissioner and the Trust)