Nursing home fined by Information Commissioner’s Office

A fine of £15,000 has been levied against a nursing home for breaking the law on keeping secure the sensitive personal data that it held in relation to staff and service users.

An investigation by the ICO found widespread systemic failings in data protection at the home at the time of a data breach.

What happened

A member of staff took an unencrypted work laptop home that held sensitive personal data on employees (absence and disciplinary data) and service users (medical notes and DNR instructions).

The laptop was unencrypted and – following a theft at the employee’s home – was stolen. The data could then be access by an unauthorised person.

The ICO commented:

“This nursing home put its employees and residents at risk by failing to follow basic procedures to properly manage and look after the personal information in its care.”

“Our investigation revealed major flaws in the nursing home’s approach to data protection.”

“The nursing Home had totally inadequate provisions for IT security and procedure and poor data protection training.”

Outcome

The value of the fine reflects the size of the business. A bigger organisation experiencing a similarly serious breach could reasonably expect to receive a much larger fine.

Learning

Legally, organisations must have measures in place to keep the personal information they hold secure.

Processes and policies such as

• encryption of sensitive data,

• how and when employees can take that data offsite,

• transfer of data from the main system to USB or memory devices

need to be created, enforced and train out to all staff to reduce the risk of losing data and the potential fines that can be expected to follow as well as loss of confidence by stakeholders in the organisation.

If you have questions or concerns about the way information is managed in your organisation, rradar members can access the ARC teams to discuss this further.