Information Commissioner issues first monetary penalty to the NHS for serious data protection breach

Blog by Daradjeet Jagpal

Aneurin Bevan Health Board in Wales has become the first NHS organisation to be issued with a monetary penalty notice  by the Information Commissioner’s Office (“ICO”) following a serious breach of the Data Protection Act 1998 (“DPA”).

The ICO issued a penalty of £70,000 after a report containing sensitive personal data relating to a patient’s health was sent to the wrong person. The error arose from a failure by a consultant to spell the name of a patient correctly (the name had been spelled in two different ways in the one letter) and provide enough information to a secretary to enable the secretary to correctly identify the patient (such as the patient’s address or NHS number).

The ICO’s investigation uncovered that neither the consultant nor the secretary had received data protection training and the Board had inadequate processes and procedures in place to ensure that communications were sent to the correct person. The ICO was particularly concerned by the damage and distress caused in this situation and warned that similar enforcement action may ensue if other NHS organisations do not “stand up and take notice of this decision”.

In addition to the penalty, Aneurin Health Board has signed an undertaking with the ICO in terms of which it will provide appropriate data protection training to staff, regularly monitor compliance with data protection and data security policies, and introduce new checks to ensure that a patient’s identity is verified prior to communications being sent out.

This latest decision from the ICO highlights the need for all organisations – not just in the health sector – to ensure that they have appropriate policies and procedures in place which comply with the requirements of the DPA. In addition, it is imperative that employees are made aware of these policies and procedures and are provided with regular DPA and data security training. Failure to comply carries with it the risk of a monetary penalty notice of up to £500,000.


To keep up to date with Harper Macleod news and blogs you can sign up to one of our sector newsletters on our website.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s