The Information Commissioner’s Office (ICO) has taken action against a health care provider after an unencrypted memory stick containing sensitive patient information was lost.
Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act after losing the memory stick. The ICO says the memory stick contained personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, some of which was sensitive information relating to individuals’ care and mental health.
The memory stick was lost in August 2011 and has not been recovered, the ICO says. Praxis alerted all affected people and has so far received no complaints.
The avoid any potential data breaches in the future, Praxis has agreed to make sure that all portable media devices are encrypted and any information that is no longer needed will be securely disposed of. The company has also updated its data security guidance.
"Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable," said Christopher Graham, UK Information Commissioner. "The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning."
"Today’s joint action aims to send a clear message to organisations that a lax attitude to data security will not be tolerated by either the ODPS or the ICO. We will continue to work with regulators in other countries to ensure that our residents’ personal information is protected," added Iain McDonald, Isle of Man Data Protection Supervisor.
The ICO has been getting tough on data breaches recently. In December 2011 it handed out its biggest penalty to date, fining Powys County Council in Wales £130,000 for sending details of a child protection case to the wrong recipient. That was just a few days after it fined Worcestershire County Council £80,000 and North Somerset Council £60,000 after both emailed highly sensitive information to the wrong recipients.
Earlier this year it emerged the ICO was set to hand out what would be its biggest ever penalty, with a fine of £375,000 being handed down to Brighton and Sussex University Hospitals NHS Trust after 232 hard drives containing sensitive patient information were stolen while being decommissioned.
The Trust has said it will appeal the fine as it was the victim of a crime rather than the guilty party.
Chris McIntosh, CEO of ViaSat UK, drew comparisons between the fines handed out by the ICO and those handed out by the FSA for regulatory breaches and failure to take due care.
"The ICO should not stop lobbying for more powers to enforce its responsibilities. Audits on demand and increased financial penalties are the minimum it should aim for: when the likes of the FSA can fine companies more than 6 times the ICO’s maximum penalty for failures to act with due care, it seems clear that penalties could be increased from the £500,000 limit," he said.
