The Information Commissioner (ICO) recently imposed a fine of £15,000 on a Nursing Home in Northern Ireland for failure to keep personal data secure.
A member of staff had taken an unencrypted work laptop home, which was then stolen during a burglary in the night. The laptop contained personal details about staff (including records of sickness absence and disciplinary matters) and residents of the home (including their date of birth and details of their mental and physical health). Such data concerning health in particular is defined as ‘sensitive personal data’ by the Data Protection Act.
An investigation subsequently found widespread failings in data protection, noting that the nursing home had inadequate provision for IT Security and no policies in place regarding the use of encryption, for homeworking and the storage of mobile devices, nor did they provide sufficient data security training to staff.
The penalty was fixed at £15,000 because of the size of the nursing home business, but a bigger organisation experiencing a similarly serious breach would expect to receive a much larger fine.
This case highlights the possible consequences of a serious data breach and is a reminder that all personal data should be processed in line with the eight principles set out in the Data Protection Act, being that data held should be:
In the case above it was security which was the key issue. Appropriate measures should be taken to prevent unauthorised processing or access to personal data and against loss or destruction of data. Consideration should be given to whether staff require training, where data is held, what devices or information are permitted to be taken off the premises and what security measures for such information might be appropriate.
If you would like information on the above matter or any other employment law issue, then please contact our employment solicitors today.