back to article NHS fined £375k after stolen patient data flogged on eBay

The Information Commissioner is proposing to issue its heaviest ever fine for a breach of UK data protection laws. It proposes fining a health body after patient records were stolen from a hospital and sold on eBay. Brighton and Sussex University Hospitals NHS Trust told that hard drives containing patient data had …


This topic is closed for new posts.
  1. Anomalous Cowturd

    Thank-you, ICO..

    For taking all that money out of the health service, for the benefit of the people.

    Instead, how about locking up and fining the shitbag who decided that it would be a good idea to flog off the drives he had been contracted to destroy.


    1. Anonymous Coward
      Anonymous Coward

      I agree with the sentiment.

      The problem with this is that the shitbag will have done this a) in name of the NHS (as in will have been working for them at the time, probably still) and b) in good faith, believing the salespitch of fully privacy-ensured data deletion and buzzword buzzword buzzword buzzword, guaranteed! Think middle manager and how such positions attract pointy hair something fierce.

      In the end, the NHS will, as it logically must, still end up with the buck for this. It would be nice to be able to pass fines like that on, but I doubt they made sure they could when they signed the contract, so probably not.

      As such, the ICO really should not be listening to "but it wasn't me, guv!" arguments. Think about it. What would happen if they did? Then it'll always be someone else that "did it", and stupidity like this will remain unpunished as long as everyone in the chain can find someone else to point to. It's the NHS's ultimate responsibility to care for the data. So it's them that get fined.

      1. Lamont Cranston

        An end to the culture of sub-contracting

        all the public service functions, would make it a lot easier to hold people to account when things go wrong.

        Flog your services off to the lowest bidder, and they'll do a shit job, but you won't be to blame and the NHS can pick up the fine - yeah, I can see why this is so popular.

    2. Rameses Niblick the Third (KKWWMT)

      Whilst I agree with the principal of the original point, I feel that the proper process here should be that the Trust takes the fine, and subsequently sues the subcontractor for breach of contract, plus whatever else is applicable and recover the cost of the fine.

      As I see it, the trust is responsible for the data, as it was the organisation the data was given to, and the subcontractor is responsible for keeping to their agreed contract. Therefore the Trust has to take the hit for the data breach and should recover losses from the subcontractor for the contract breach.

      However, IANAL.

    3. Loyal Commenter Silver badge

      In the end, though

      Surely it is the responsibility of whoever subcontracted the work to ensure that there was a proper audit trail of what happened to the disks after they left NHS premises, and adequate proof that they were being destroyed.

      If they failed to do this, and the drives we put up for sale then it is entirely their fault.

      If, however, the discovery that the drives were being put up for sale was a result of proper audit procedures, then they should be entirely in the clear.

      If you have sensitive information that is covered under the DPA, you can't just hand it onto someone else with the promise that they will destroy it for you - you must have proof that this is happening.

      1. Anonymous Coward
        Anonymous Coward

        In the end the NHS is still responsible.

        The NHS cannot simply say "lookit, 'twasn't us, 'twas dem that we gave the problem to." The NHS still has to answer to the ICO. They must then go to the subcontractor and sue them for breach of contract (to the tune of that fine and a wee bit more, say).

        Of course it is skewed that had nobody noticed, no fines would've been handed out, and moreover that now that they've been right quick preventing the data from actually getting flogged off, they face a fat fine. It's too easy to see that as a fine for doing your job, though apparently a few downvoters do.

        So I agree some leniency for quick action is warranted. But that's not the same as "entirely in the clear"; they're still responsible for what happened to the data. There really is no way around that without the ICO risking letting itself be led down the garden path. (Disagree? Show how.) Quite possibly the ICO cannot even fine the subcontractor --really, whatever for?--, so they have no choice but to fine the NHS.

        So the NHS, and for that matter anyone dealing with sensitive data, better learn to make sure they can indeed pass on that fine to the subcontractor, by including "you pay our ICO fines should anything go amiss" in the contract.

        In fact, were I the NHS I'd put that and more in, then beg the ICO to double the fine so as to smash crooked contractors into oblivion. Do you see another way to do it?

        1. Intractable Potsherd

          Any decent lawyer ...

          ... would have had a clause in the contract saying "if you, by action or inaction, make us liable for fines under the DPA or other legislation, you will be paying the fine and all our costs". That this wasn't done suggests that the idiots at the health authority/trust accepted a standard form contract stuck under their noses by the company. Now they need to spend more time and money on suing the firm. Sad for the provision of healthcare in the affected area, but people only learn from mistakes.

    4. RW


      Until the doofus managers who oversee such fiascoes feel some serious hurt — by preference in their pocketbooks — no tightening up will take place. Indeed, I'd name and shame them, and then put their names on a blacklist "do not employ this person in IT management".

      The crazy system of one arm of the Crown fining another is...well...crazy. Which party originally inflicted this insanity on the suffering British people, pray tell?

    5. Mark 65

      At some point I'm sure these organisations will just work out that it is cheaper to run whole disk encryption.

  2. Mako


    If the 3rd Party was contracted to securely destroy the data, then surely *he* should be in the frame for any penalties under the DPA...shouldn't he? Wouldn't that be part of any contract between the NHS and their contractors?

    But even if my assumption above is wrong and the NHS *does* have ultimate responsibility, the only people punished by this fine would be the patients whose care would suffer for want of those funds. No one learns anything, the cash re-enters the governmental money-go-round and some treatments are cancelled. Where's the point?

    1. Anonymous Coward
      Anonymous Coward

      The NHS *always* has ultimate responsibility.

      That's just how delegating a task works: You tell someone else to do it, and they answer to you for how they'd done it. You don't lose responsibility for how the task is done. So even if there are effective pass-the-buck clauses in the paperwork, the news would still be "NHS gets fined".

      And yes, ultimately it's the patients that suffer. That, too, is the responsibility of the NHS.

      The point? The point is that the ICO says "don't do that!" out loud enough for people to take notice. Whether that ultimately works is another matter, but not for the ICO to sort. They have their hands full with people in government and elsewhere doing boneheaded things with data enough as it is already. Still, it is a good question, and one that does need sorting. Write your MP today about it.

      1. mark 63 Silver badge


        "The NHS *always* has ultimate responsibility."

        "That's just how delegating a task works: You tell someone else to do it, and they answer to you for how they'd done it "

        I beg to differ , think of the cowboy builders programs on TV - is it the poor old dear who's been ripped of 5K over a couple of roofing tiles' fault?

        The NHS is , on the face of it , innocent here.

        It doesent state whether it was a specific contractor who specialises in destroying data - which would make it al lot more farcical , or an intermediate I.T contractor whos would be tasked with finding the above mentioned Data specialist, but at the end of the day its the contracotrs fault.

        Thats assuming , and for the love of god i hope i'm right in this assumption , the NHS manager in question did say , preferably in writing, " I want the data on these drives destroyed"

        rather than "sure mate - if you can get a few quid for these PC's take em home and bung em on ebay!"

        I actually work for the NHS , clearly a different department because the amount of money we're spending making sure data (and the hardware its on) is destroyed is horrific, not to mention the money having the rest of the hardware "recycled".

        For pcs and monitors without drives ebay would in fact be a far more green / ecologicly sound AND financially better solution

        1. Anonymous Coward
          Anonymous Coward

          I have no telly so I have no idea what your example is on about. If you order someone to roof your house, they answer to you how they do that, and you bind them to that through a contract to build. If you don't have that you fall back on existing law, which may or may not protect you. Getting ripped off usually means someone having found loopholes in law and/or contracts (or written them in themselves) and abusing them, sticking you with the bill.

          The NHS is entrusted with data, they put it on hard drives, so it's their responsibility to ensure it doesn't go walkies when they'd like to dispose of the hard drives. They don't lose that responsibility (that the ICO can rap them for) even if they contract out the wiping. So in that respect they are not, cannot be, innocent. Protecting that data is their job, pure and simple.

          And yes, the NHS really should have, in writing, not merely "I want this data destroyed" but also "and YOU get our ICO fines if you fail us". If not, they get fined for failing to care for the data --they gave it away and the contractor turned out crooked-- and get stuck with it for failing to put into the contract the right to pass on the fine to the contractor.

          As responsibilities go, this is how it works. Having tried and apparently succeeded to get the drives with the data back in time should get you some leniency, so the height of the fine is probably more than a bit frustrating for the NHS. Unless they can pass it on, of course.

  3. This post has been deleted by its author

    1. Yet Another Anonymous coward Silver badge

      The big problem with this fine is it's going to mean a return to the IBM / CapGemini / WAACTW getting all the contracts just so managers have their arse covered.

    2. Intractable Potsherd

      The contractor was not the Data Controller ...

      ... and so, for the purposes of the Act, isn't responsible. They could (and should) be made liable through private law routes, though.

      Better drafting of the contract would have made this a non-issue for the trust.

    3. Anonymous Coward
      Anonymous Coward

      The NHS is responsible

      If an organisation could escape responsibility for data protection by passing it on to a third party, then they would pay a tenner to anyone who'd take the disks away and data protection would be meaningless.

      The chief executive of the NHS trust said "We were the victims of a crime". They weren't. The police have decided to take no action against the contractor. He received the disks lawfully and then didn't destroy them, which was merely a breach of contract. Perhaps the fine will help to improve the CEO's understanding of the law and his responsibilities.

      A former CEO of mine once said to me that when he was a much more junior manager he used to read through the contents of the to-be-shredded bin to find out what was going on in the company. The lesson was clear: if you have something sensitive that needs shredding, do it yourself.

      Destruction of confidental information on hard disks is something that is sufficiently important and happens sufficiently infrequently that the responsible manager should be witnessing it himself.

  4. Anonymous Coward
    Anonymous Coward

    I'll buy they didn't intend to have drives with data flogged.

    Then again, irresponsibility of a (sub)contractor doesn't absolve you from having to care for the data on the hard drives. Or at least it really should not. That is how responsibility and delegation (through outsourcing) works. That this is risky ought to be evident.

    So I think I'll support both the notion of "proposing" that fine, and the notion of the NHS not having to pay all of that, given that they acted quickly and gotten all the media back. What's happened with the data is probably for the police to sort out.

    They should probably learn that the only way you can be sure the wiping gets done is to do it yourself (and even then...) before handing the kit to the cheapest bidder. Or, you know, watch the drives get tossed into an industrial shredder (and inspect the results), or to dissolve them in a blast furnace, or something.

    In the end, this way of ensuring privacy just isn't very tenable; it doesn't scale. Therefore we'll need better ways to handle personally sensitive information. Too bad the NHS has to bear the brunt of it as they weren't too great with this automation thing to begin with. We'll keep on seeing things like this until well and truly fixed and I expect it to be fixed, well, never in the case of the NHS as it currently exists, and they're not the only ones with that problem.

  5. Stephen 2


    Why are the ICO so quick to throw huge fines at councils and (now) the NHS? But they dare not go near big corporations?

    In this case the NHS followed the rules and paid for secure destruction. They got screwed over.

    1. Anonymous Coward
      Anonymous Coward


      Councils and the NHS have far more data about individuals than companies do. The NHS has all your medical records (obviously). The council will have details of complaints you've made, complaints made about you, council tax payment details, the property you live in, what benefits you receive etc. Most of the council information is available to huge numbers of council workers. Go to a council walk-in centre and the people there will have access to it.

      Asda, on the other hand, knows what food you eat and recognises that this information is valuable. It therefore takes steps to ensure it is protected. No one at your local store (including the store manager) will have access to it. Fewer people with access means fewer opportunities to disclose or lose the data.

      If you have a specific example of a big corporation being let off the hook by the ICO then why not tell us who it was instead of the generic "big corporation" complaint?

      1. Anonymous Coward
        Anonymous Coward

        credit card application forms ?

        "a specific example of a big corporation being let off the hook by the ICO "

        credit card application forms ? They have everything a fraudster might want.

        You do remember the case in 2008 where a server used for processing credit card applications for Amex, NatWest, and RBS was sold off on fleaBay, while still containing images of the paper application forms, don't you? The individual who bought the server was Andrew Chapman, the subcontractor doing the processing was called Graphic Data.

        e.g. and

        I can't remember what (if anything) the ICO did about it, and (oddly enough) the popular search engine also doesn't easily find any reports of what action they took. Perhaps someone else can find something, as absence of evidence of action is not evidence of absence of action.

        But until someone produces details of what the ICO did in this case, I rate this one as "big corporations being let off the hook"

        And that's one of the rare ones that made it as far as the press. M'learned friends working on behalf of the private sector and in particular finance companies usually work better and more rapidly than they did in Andrew Chapman's case.

        I'm sure there are plenty more examples, but I have other ting to do.

        As others have already noted, the way to get folks attention to detail to prevent cases like this is to hold the Chief Executive (or similar) personally responsible. After all, when things are going well, they pay themselves as though the success was their personal doing. So when they let things go wrong, surely the same principle should apply.

        1. Anonymous Coward
          Anonymous Coward

          Monetary penalties where only introduced in April 2010 so anything before that could not have resulted in a fine.

          Individuals could get compensation, but the ICO never had the power to impose monetary penalties.

          You will have so find something more recent than that.

          Finally, all the parties involved in that incident where found to be in breach and had to sign an undertaking not to do it again. That was the limit of the ICO powers at that time. If it happened today then they would probably be fined.

      2. Anonymous Coward
        Anonymous Coward

        Re: Because..

        > If you have a specific example of a big corporation being let off the hook


      3. Anonymous Coward
        Anonymous Coward

        @AC 09:43

        1.) BT and Phorm

        2.) BT and ACS:Law (when details were provided unencrypted against the demands of a court order)

        3.) The entire media according to one witness at the Leveson inquiry

        4.) Google and their wifi Streetview tricks

        5.) Lush (see

        Finally given Vodafone's and 3's attitude towards Bluecoat and illegally sharing our personal data with them it's fairly clear that they don't think that they have anything to fear from the ICO. For some reason ISPs keep on managing to get a 'get out of jail free' card.

        Need any more examples?

        1. Anonymous Coward
          Anonymous Coward

          1) Pre 2010 no fines possible

          2) ACS:Law was fined by the ICO in May 2011

          3) Ongoing investigation

          4) Intercepting WiFI comes under RIPA and not the DPA

          5) Lush was hacked.

          1. Anonymous Coward
            Anonymous Coward

            @AC 14:35

            1.) So what about Talktalk and their homesafe product in use today? What about 3 and Vodafone's use of Bluecoat? It started with Phorm but spread to other ISPs and shows no sign of stopping. And it will never stop as long as the ICO continues to do nothing about it.

            2.) And it was BT that breached the court order, not ACS:Law. BT were the ones faced with the court order, not ACS:Law, and they are the ones ultimately responsible for failing to comply with it. However in that case the ICO preferred to gut the DPA rather that enforce it. A sad, but nonetheless predictable outcome.

            3 & 4) Fair enough.

            5.) If it's a result of poor security then it doesn't matter if they were hacked or not - they failed to adequately secure customer data and should be punished for that failure.

            1. Anonymous Coward
              Anonymous Coward

              1) What about TalkTalk? Has the ICO received a complaint? Why not list every company you have a gripe with? Alternatively you could look at the ICO site and find out for yourself if a complaint has been raised.

              2) Breach of a court order is not the same as a breach of the DPA.

              5) It was a sustained hacking attack, not poor security.

              1. Anonymous Coward
                Anonymous Coward

                @AC 16:11

                The ICO needs to receive a complaint before it will even consider stopping illegal action?

                They are definitely aware of Talktalk's homesafe product, as Talktalk themselves have previously mentioned conversations with the commissioner over claims in regards to the system, but the ICO has failed to do anything about it.

              2. Anonymous Coward
                Anonymous Coward

                @AC 16:11

                Incidentally my own communications with the ICO on another matter indicate a complete lack of any technical knowledge on the part of the people working there. They do not seem to understand that something like a URL could contain personal information that could be used to identify the user ( as a basic example), thereby presumably making URLs entered by users personal data that should be protected by the Data Protection Act.

                This should not really come as a surprise though given the lack of people working at the ICO that have any knowledge of how technology works and how it can be abused.

                Nevertheless it should make for an interesting follow up email to INFSO (the part of the EU commission that has been dealing with PECR-related issues in the UK). If previous failures to act are anything to go by then the ICO will probably decide to not do anything about my case, and I can then give INFSO my own example of how privacy is still being ignored in the UK. Perhaps if enough people complain we can even get the commission to re-open the court case that it has pending against the government here for failing to properly implement PECR.

  6. John Smith 19 Gold badge

    Hold up. "Certifed contractor"

    I *really* hate to say this.

    *If* the con-tractor (and given their behavior that is the right way to pronounce the word) agreed to *destroy* the drives to the relevant British Standard (industrial shredder ?) *they* are in breach of contract and flat out lying about where the hardware is going.

    It's a breach of contract (unless the contract is *very* slack. Not impossible given NfIT) and the NHS were acting (for once) in good faith.. Visits from NHS lawyers, Police and the local council Trading Standards staff shoudl all be happening.

    This little scam has even been played with crematoria in the US, when the owners realized they could just charge for the gas and stick them in the ground out back.

    1. Velv

      Further to this, all contractors I know have Indemnity Insurance in excess of £1m. None of the agencies i've seen will engage a contractor who doesn't have Indemnity insurance, and that is for Indviduals working through a limited company, not even companies with several employees providing services such as data destruction who need far more coverage.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hold up. "Certifed contractor"

      > *If* the con-tractor [...] agreed to *destroy* the drives [...] *they* are in breach of contract

      The issue here however is not one of a breach of contract, but one of falling foul of the Data Protection Act.

      I imagine that the question that must be answered in order to determine responsibility is who was the custodian of said records at the time they were compromised.

      It's a sad fact that the NHS might have been caught on a technicality when by the looks of it they were trying to do everything by the book. It's sadder still to see the ICO go after them and instead look the other way when big business is involved (credit card companies, banks, Phorm/BT [primarily a RIPA violation, but there might have been DPA issues as well], Google, etc., etc.).

    3. Anonymous Coward
      Anonymous Coward


      That was an hour north of where I live. The funny part was that it was simply lazyness...with a little extra effort, they could have sold the coffins off as pre-owned. Instead, they just stacked the coffins like boxes...

  7. This post has been deleted by its author

  8. Anonymous Coward
    Anonymous Coward

    registered contractor

    What do they mean by registered contractor? Registered with whom?

    From the sound of it they are talking about an individual and not an organisation. In other words one of the IT contractors they use said "I can destroy them for you for £X per drive" to which the Trust said "yes".

    If that is the case then there is some justification in the fine as they should have ensured the individual concerned did actually destroy them.

    1. Aitor 1


      There really is no justification, just no bad faith (or so it seems).

      Using contractors should be irrelevant, they had the data, the HDDs went on sale, guess who is going to pay...

  9. Aitor 1

    NHS IS responsible

    If they decide to subcontract, it is their sole problem, THEY have the legal custody of the data.

    They are also victims, but of a different crime, and they should be punished. Depending on the contract, maybe the decision maker should be sacked, or not.

    They should, of course, pass the bill to the subcontractor, as the contract should include this. If it doesn't, then sack who signed the contract, without severance pay.

    1. Anonymous Coward
      Anonymous Coward

      I would agree with that. The ICO is only concerned with who had initial responsibility and who passed that responsibility on to a third-party, in this case the NHS trust. The trust should now seek to recover the costs from the sub-contractor's insurance company as a breach of contract regarding the destruction of the data units.

      Oh you mean someone in the trust has a mate of a mate who said he "worked in IT" and would take the drives out to his garage and drill holes in them for a fiver a time? 'Cept he thought he might be a able to get some extra cash from some dodgy people buying them off fleaBay?

      Sack the twat who cleared this without checking, the manager and anyone who authorised the payment to the contractor without doing proper due diligence!

  10. vagabondo

    "registered contractor "

    Shouldn't the Hospitals first response be to complain to the contractor's registering body, then sue for losses and costs incurred consequent to breach of contract. Considering the potential consequences, I do not think the fine was particularly large. The penalty and accrued costs should just be passed back until they reach the guilty party.

  11. RocketBook

    The Problem With This

    Is that it doesn't really hurt the trust because we the tax payers pay it.

    Really the people that should be fined are the directors of the trust, they are supposedly paid to take responsibility for things, so they should suffer the financial consequences, not the patients or for that matter, us the tax payer.

    Can't beat a good rant in the morning

  12. Piers

    Sack someone. As close to the top as you can.

    Someone is responsible, and sacking the manager/person in charge is going to send a way stronger signal than squeezing their budget further.

    Sadly the ICO probably doesn't have that power...

    1. Anonymous Coward
      Anonymous Coward

      Sack them...?

      That'll just mean they collect a huge severence/golden parachute payment (cos people at the top -never- get sacked.. they all agree to depart by mutual consent upon payment of sufficient compensation, bonus, pay in lieu, pension contribution) and immediately walk into a new job as head of the hospital trust down the road.

  13. Anonymous Coward
    Anonymous Coward

    Need more details..

    ..does the contractor have all the relevant ISO's (2700x range spring to mind). Was a contract in place for secure data destruction before disposal?

    If they followed correct, sensible procedures, then they shouldn't be held responsible.

    If they opened the Yellow pages, took out a pin and went you, they'll do, then they are to be accountable. This should be taken out of the CIO's (or whatever they have) wages, not the NHS funds.

  14. Anonymous Coward
    Anonymous Coward

    This is a notice of fine, not the fine that may be imposed. The Trust is challenging it.

    This appears to my mind to be a profile raising exercise by the ICO.

    If i read tha rticle right (and elsewhere), and accepting that journos usually only have half the tale, it appears the Trust took all reasonable measures to protect the hard drives by locking them away then contracting a body to destroy them. All in their policy and procedure. A rogue employee is just that, someone who ignores policy and procedure for their own gain or to be malicious. I agree that morally the perp should be penalised but under the DPA the Trust is the data owner and must bear ultimate responsibility. but, like ohter posters I agree that a hefty fine like this would do no good to the NHS. Watch it silently disappear once the Trust challenges it....

  15. Anonymous Coward
    Anonymous Coward

    Processes and checks

    It's entirely possible that the fine isn't entirely related for the data loss itself, but for possibly not having proper procedures and processes in place to audit the subcontactor to ensure that he was doing what he was contracted to do, ie securely destroy the drives.

  16. TheManCalledStan

    HDD prices

    With HDD prices as they are contractors are going to be tempted.

    NHS need to realise that they need to get the basics right like verification and onsite destruction.

    Some contractors offer this, they have HDD shredders on lorries. They come in with the lorry your IT guys bring the HDD and tip them in a hopper. They can verify that the HDD were destroyed.

    It costs a bit more, but it's peace of mind.

  17. Drummer Boy

    Trust, but verify, the bye words of security these days.

    It may well be that the contractor had a contract to destroy harddrives - not knowing what may, or may not, have been on them.

    The NHS has a duty to safe guard information, and that cannot be delegated.

    A hard lesson to learn, but learn it they must.

    One reason that public bodies need to be fined (not that I am happy about it) is that commercial organisations suffer commercially if they cock up and get in the news, as we, the consumers can vote with our feet; where this does not apply to public bodies.

  18. Anonymous Coward
    Anonymous Coward

    really poor..

    We have used disk destruction services before for sensitive data and I am glad they've had the book thrown at them for not checking the end result.

    Ours shredded the disk into a million pieces. If the PCT had followed this - there wouldn't have been any disks to sell on e-bay.

    1. Aqua Marina

      Did you count...

      ... all 1 million pieces? Or did you get up to 999990 and decide there woudln't be sufficient confidential data on the remaining 10 pieces to bother checking :p

  19. Anonymous Coward
    Anonymous Coward

    I still think that destroying hardware in order to safeguard the data on it is very wasteful. A securely wiped drive won't give up data to less than extreme recovery methods - even the most basic wipe of the drive (raw device rather than file system) will make data inaccessible for most purposes, and the drive is then available for re-use. Given the current price of drives and the constant budget pressures in organisations like the NHS it's almost irresponsible /not/ to sell them on.

  20. volsano

    Money go round

    If facts are as presented, NHS will charge back the contractor. The contractor will claim on their insurance.

    At each step, lawyers will lap up fees.

    Insurer will put up fees to NHS contractors.

    Contractors will pass increased costs to NHS clients.

    Taxpayer pays.

    And, just, perhaps some NHS execs miss out on gongs in the honours list,

  21. Da Weezil

    I guess this is what you get for when tendering for services is required, lower prices often result in lower standards

    It really is time that much this outsourcing bollox was clamped down on, it leads to a huge number of non productive jobs connected with the contracts while the economies of scale are lost by virtue of supply to individual trusts rather than a huge national service.

    Data storage equipment and the management of it should be in the care of the data custodians that way the responsibility cannot be fudged.

    As ever policy is driven by the demands of business to suckle at the public funding trough.

  22. h4rm0ny

    On the face of it, it seems unfair to fine the hospital for the behaviour of their sub-contractor. Surely the sub-contractor is the criminal here. That may be the case, but I was in on the meetings when a different NHS group (a PCT in the South West) was selecting 3rd party IT providers. I pointed out that for the same amount of money, they could actually just expand their internal IT support staff and (a) get more actual man-hours for the same amount of money, (b) not introduce co-ordination issues between their internal and external services and (c) actually have people they could directly manage.

    After pushing this point for a while and being fobbed off with various flawed justifications, it was eventually put explicitly that if they outsourced their IT support, they would no longer be responsible for it. So yes, maybe the hospital is not at fault. But I have seen active and deliberate avoidance of responsibility be the motivating factor in purchasing decisions in the NHS. Between attitudes like that and the attempt by New Labour to sell the entire NHS off to private industry, it's a tribute to the actual medical staff that it's still actually running!

  23. Anonymous Coward
    Anonymous Coward


    Most commentators seem to think that the NHS have been wronged here by the contractor. However, when RBS had a similar thing happen with a subcontracted data processing company having servers stolen by an employee and flogged on ebay, commentators were queuing up to slag off RBS because "it was their fault".

    1. Anonymous Coward
      Anonymous Coward

      commentators slagging off RBS because "it was their fault".

      It may not have been Amex/NatWest/RBS's fault, but it was their data and their responsibility.

      1. Anonymous Coward
        Anonymous Coward


        That's exactly the point. The appropriate contracts were in place, with penalties and audits. The servers were waiting in a lockup for secure destruction. An employee of the supplier took it upon himself to use his access to the lockup to steal the machines and sell them. This is hardly RBS' fault, and nothing they could have had control over, which is very much the case here.

        1. Anonymous Coward
          Anonymous Coward

          It doesn't matter that "it wasn't their fault".

          It was undeniably their responsibility. The fact that they chose to sub something out to someone who turned out not to be trustworthy is relevant only to the lawyers, who shall be first against the wall when the revolution comes.

          Whatever the money-chasing lawyers might want you to believe, an organisation cannot absolve itself of the responsibility for having a job done simply by shuffling some paper and moving some money.

  24. jaycee331
    Thumb Down

    Public vs Private

    There seems to be a trend here.

    The ICO grow a pair when it comes to hunting down Councils, NHS and other public sector organisations commiting data offences. Nice easy targets.

    But should the offence involve a private corporation, I'm yet to see anything but "advice given" or token fines that are, in relative terms, pocket money.

  25. Lockwood

    Blame game?

    This is where we have the well known siblings, Accountability and Responsibility.

    The data destruction was tasked to a contractor. They were /responsible/ for the data breach.

    The paperwork to authorise this work and sign the equipment off of the asset register to the contractor for the purposes of destruction was performed by the NHS Trust. They were /accountable/ for the data breach.

    This is a useful distinction to note - I've been in many a discussion on accountability and responsibility when it comes to being in an authoritative position. As the accountable person, questions may be asked of you, however if you were not responsible for the (in)action, you are not liable.

    I would see the contractor getting into some serious trouble over this, with the NHS being given a bit of a telling off being told to use better judgement in who it chooses to make responsible for such things.

    Given the requirement for more and more documentation with the CQC and the very long running "If it's not written down then it didn't happen", there must be a policy to deal with data desctruction and a fully auditable trail that can track the equipment coming in to the NHS, through the NHS and out of the NHS to the contractor.

  26. Derichleau
    Thumb Down

    Another easy kill for the ICO

    Yet another example of how the ICO comes down hard on government agencies. The NHS can't fight back as they must comply with the DPA98. What about the tens of thousands of commercial organisations that incessantly abuse data protection laws... when is the ICO going to start getting tough on them? The fact is, if you're processing personal data and you've not notified the ICO, and you're not exempt from notification, then you're committing a criminal offence. What's the ICO doing about these criminals? NOTHING!

    I want to see similar fines handed out to commercial organisations the break the law. It's time the Information Commissioner grew a pair.

  27. Anonymous Coward
    Anonymous Coward

    Begs the question...

    ...why the fuck the public sector needs to line the pockets of the private sector for a job like this?

    Why doesn't the Trust buy the equipment necessary to destroy the disk? It's only a few grand. After 25/50/100 disks it's paid for itself anyway. The mechanical machines are not rocket science to operate - they give the job of turning the handle to the lowest cost member of staff they can find.

  28. Parax


    The NHS are responsible and should be fined, They in turn should sue the contractor for the entire sum + all costs. That is correct procedure, they should not be winging.

    If the contractor is too small and cant pay then the NHS is out of pocket but that is their own fault, for using sub par contractors. the lowest price is not always the best solution.

    Always ensure your contractors have indemnity insurance! (PI) if they don't, they can't do the job.

  29. Neil C Burns

    how much wud it have cost nhs, to get someone, kit him her with a torx screwdriver set for less than a fiver off ebay(lol) and a hammer. dismantle the drives and pop out the platters and wipe with a magnet, and then mash em up with said hammer/.......

  30. Eradicate all BB entrants

    Time to be downvoted ....

    ...... as while the public will pay the fine the NHS were responsible, they collated and compiled the data so should not have let it out of their sight when it was so easy to access.

    While we aren't the most modern shop here we always run drives through killdisk a couple of times before passing them for disposal. Yes, the most determined person in the world may be able to revert what we did in order to obtain files, but it at least proves that we made an effort to make sure we aren't passing easily accessable info to 3rd parties.

  31. Anonymous Coward
    Anonymous Coward

    Never mind that, who is going to pay for the removal of my defective breast augmentation implants? Private or public sector?

    1. Aqua Marina


      ... or it didn't happen!

  32. Anonymous Coward
    Anonymous Coward


    Any chance of clarifying what "registered contractor" means in this context? It has the feel of weasel words to allow the guilty party/parties to try and deflect the blame.

    If the "registered contractor" was employed by the NHS trust in an internal position, I can see why the NHS have been fined and they may be able to pursue the costs from the contractor's insurance.

    If the "registered contractor" was either a employee of an external asset disposal contractor or a contractor at an external asset disposal company, I would expect that the data disposal company would end up with the costs.

    The interesting thing is that the "registered contractor" has been questioned by police and no charges laid. That suggests there was no paper trail to protect the innocent.

    As a WAG, maybe the "registered contractor" was the mate of an IT manager who was getting rid of them on the cheap and ended up in a bad place....

  33. Stephen Rodda

    Left Hand, pay Right Hand

    This is a pointless exercise.

  34. This post has been deleted by its author

  35. Anonymous Coward
    Anonymous Coward

    Come on, my company could do a better job of data wiping than that

    even though our WEEE records are in Excel, our wiping software is DBAN and our procedures are in my head. (We're quite a small operation.)

  36. Microphage

    Data deletion Device

  37. JasonB

    sadly ...

    It seems it would not have been impossible to have wiped the disks BEFORE they left the Trust computers. The Chief Exec and whoever decided NOT to wipe the drives should be sacked.

  38. Anonymous Coward
    Anonymous Coward

    why not in-house?

    I'm not sure whether this became almost inevitable in the days of contracting out many things coupled with saving money in every way possible. However, I'm not sure how the costings would play out if the disks were wiped to certain standards within the NHS, and then they could be merely re-distributed down the line to machines that could still usefully need hard disks of this size: that way, the responsibility firmly remains within the NHS, and the fate of the disks lies with people who are still firmly within the NHS.

  39. Peter Jones

    How absurd! Who do you think will have to pay? The penalty should be personal on the chief executive. Then we'll see action to stop this sort of loss.

This topic is closed for new posts.

Other stories you might like