CSI Lifecycle Ltd

Another Large NHS Fine for Improper Data Destruction

NHS Surrey has become the latest organisation to be fined by the Information Commissioner’s Office for a serious data breach due to “failing to check the destruction of old computers”.

Brighton and Sussex University Hospitals NHS Trust were fined £325,000 for a similar offence last year – a topic we wrote about at the time – and NHS Surrey have now been fined £200,000. Since the breach, NHS Surrey has been dissolved with their responsibilities passing to the NHS Commissioning Board who are required to respond to the Monetary Penalty Notice by 22nd July.

There are several key lessons that other NHS bodies – and indeed any organisation which needs to ensure proper security of data – can learn from this story to avoid facing the same punishment:

1. Have a process and stick to it

With such large potential monetary penalties in place for data breaches – the ICO has the power to fine up to £500,000 – having an IT disposal plan can no longer be regarded as an afterthought. A strong written policy is required to ensure that sensitive data like patient medical records are securely handled at the end of the IT equipment lifecycle.

However, just having a policy on its own isn’t enough; it’s vital that procedures are strictly followed, as demonstrated in the case of NHS Surrey. The Monetary Penalty Notice issued by the ICO contains the following text:

“The IT team explained that the hard drives would have to be physically destroyed because they may store confidential medical information.”

In consultation with the company selected to carry out the destruction, NHS Surrey’s IT team made the policy clear, but ultimately it wasn’t robust enough to ensure that the final destruction was completed.

2. ‘Free’ is not always free

The notion of ‘free’ IT disposal is not a new concept in the market, and indeed it has received significant press coverage as recently as March this year when an MP promoted the services of a company providing such as service in his constituency. Industry figures reacted to this by claiming that focusing on price when selecting a disposal provider could increase the risk of a data breach. The below extract from the Monetary Penalty Notice outlines how the company providing the service to NHS Surrey sold on the basis of a free solution:

“The company’s Director explained that they could provide this service free of charge because the recycled materials could be re-sold by the company.”

It is important to recognise that in order to provide high level data security services, companies have to invest significant amounts, be it in licensing for government approved data wiping software, or physical equipment to destroy hard drives through degaussing or shredding.

Therefore selecting a IT disposal provider purely on the basis of price, as opposed to level of quality, could result in an NHS organisation not receiving an adequate level of service. While the service NHS Surrey received might have been ‘free’ at point of sale, the cost to them has transpired to be £200,000 – a figure well in excess of the price of a quality IT disposal and data destruction service.

3. Demand proof of destruction

Not only is it important for NHS organisations to have a strong policy relating to data security, but this policy should be written to include evidence of destruction. The Monetary Penalty Notice noted that this was not the case in this instance:

“The disposal process for redundant equipment did not require the IT team to carry out an assessment of the risks of using a data processor to dispose of the hard drives and they did not observe the destruction process.”

Firstly, due diligence should be carried out on a potential service provider, and as part of evaluating the service, NHS organisations should look to see what proof of destruction can be provided by the supplier. By obtaining such evidence and having an associated audit trail, NHS bodies can have full peace of mind in the robustness of their processes.

4. Beware the consequences

As NHS Surrey have found out to their cost – to the tune of £200,000 to be exact – there are severe consequences for organisations who fall foul of the ICO’s warnings on data breaches. Again, referring to the Monetary Penalty Notice, one can see the scale of the breach at NHS Surrey:

“The company did not physically destroy the hard drives resulting in approximately 1570 hard drives containing confidential and sensitive personal data relating to an unknown number of patients and staff being offered for sale via the internet.”

With each hard drive containing potentially thousands of files, this was a significant breach. Not only does it explain the hefty financial penalty, but it could also lead to reputational damage and weaken the public perception of the NHS.

5. Follow the ICO’s advice

On the back of both the Brighton & Sussex University Hospitals NHS Trust and the NHS Surrey fines, the ICO have attempted to clarify how organisations should be operating with regards to disposal of their IT equipment:

“Commissioner would expect the data controller to have carried out a proper risk assessment and chosen a data processor providing sufficient guarantees in a written agreement that the hard drives would be physically destroyed and that destruction certificates containing serial numbers for each individual drive would be provided.”

Since the data breach occured at NHS Surrey, they have re-written their procedures to take the above guidance into account – a strong policy with serial number reporting required is now in place. They have also gone one step further by requesting CCTV footage of the destruction process as an additional layer of evidence.

Conclusion

The key messages for organisations in the NHS to take away are:

  • Have a strong data security policy
  • Do thorough research on any potential providers
  • Do not select a service provider solely on the basis of price
  • Agree a written contract
  • Get proof of destruction in form of serial number reporting and CCTV recording

For more information about the data destruction services provided by CSI Lifecycle Services, please visit our website.