back to article NHS fights record £325k ICO fine after clap records appear on eBay

An NHS Trust is disputing a record fine the Information Commissioner's Office has levelled on it for leaving tons of data on patients and staff on hard drives that were sold on eBay instead of being destroyed. Brighton and Sussex University Hospitals NHS Trust was served a civil monetary penalty of £325,000, the highest handed …


This topic is closed for new posts.
  1. Benjamin 4

    I don't get it, all these employ a specialist etc etc etc. All they need to do is to get a tech to hit each drive a half dozen times with a sledgehammer. The platter shatters into bits so you'll never get data off of it, much cheaper and harder to avoid.

    1. LarsG

      Tax payer to Government to NHS to Government funded by the Tax Payer.

      Morons managed by idiots overseen by the sub-normal, the NHS IT system.

      I love it, the tax payer gives money to Government, the Government give the NHS money, the Government instructs the Courts to take the NHS to task. The NHS is fined and not by much, the money is then given to... The Government. The tax payer then makes up the shortfall.

      I suppose MP's need some way to increase their expenses pot, a clever bit of accounting and the Governments appears blameless.

      1. The BigYin

        Re: Tax payer to Government to NHS to Government funded by the Tax Payer.

        @LarsG - the drives were taken away by a private contractor under form mad PGI-type scheme which allows the NHS trust to show greater openness and a willingness to be wallet-raped by the private sector (as is government policy). This will all be wrapped-up in a bollocks-speak press briefing and contract.

        The contractor will be the lowest bidder with the thinnest margins and thus keen to get any profits anywhere they can, which means flogging stuff on eBay.

        One other thing you can bet is that the conrtact will be so one-sided that even if the trust ejects the contractor for such flagrant negligence, they will need to pay compensation for loss of profits (a common clause in PFI deals which is why we have to spunk so much money at our badly run rail system).

        I do agree with one thing, fining the NHS is stupid. You fine the contractor and you fire the managers.

      2. Marty

        Re: Tax payer to Government to NHS to Government funded by the Tax Payer.

        its just wrong for a gov. department to fine the NHS for something like this... All it does is costs the taxpayer and the actual peoples damaged by the actions of staff money..... It doesn't help the situation.

        Find the people responsible and remove them from their jobs. Employ people that do the job properly.

        1. Bob Vistakin

          Re: Tax payer to Government to NHS to Government funded by the Tax Payer.

          The police do exactly the same when they're found guilty and "fined", i.e. the money comes from the pool we've paid into via taxes, and after all the middle men have had a nice big bite, goes, err, back into the same pool. Its a farce designed by clever lawyers to ensure no-one in the system really suffers, yet they always benefit financially whilst the PR guys ensure the public thinks its all been sorted. Again, paid for by us.

          1. cs94njw

            Re: Tax payer to Government to NHS to Government funded by the Tax Payer.

            There's no incentive to avoid fines. They've got very little money, and they have an incredibly hard time keeping things running.

            Now they have even less money, and the situation is now worse.

            If you want a deterrent for public sector - fine the directors responsible.

            1. Anonymous Coward
              Anonymous Coward


              Loved that big shredder Ross K, but can't help thinking it needed a safety guard. Getting a tie caught in there wouldn't be fun!

        2. I think so I am?
          Paris Hilton

          Re: Tax payer to Government to NHS to Government funded by the Tax Payer.

          "Employ people that do the job properly."

          This is going to be hard when Gov pay's 25-50% below market average for internal techs then remove the gold plated pension. Or outsource to companies that are only profit driven and not driven to supply the best service possible.

          The reason why all public needed services should be government run at even or small profit. Paris because that's obviously a dumb idea.

    2. KjetilS

      At the idea of breaking the platters...

      If someone REALLY wants the data off that drive, they will, even with shattered plates.

      Afaik, the only way to truly destroy the data is to do a magnetic wipe of the platters, or simply melt them.

      1. Wize

        Re: At the idea of breaking the platters...

        "If someone REALLY wants the data off that drive, they will, even with shattered plates."

        Its all about effort required. If someone buys a working disk, there is a chance they will try to undelete what files were on it before.

        If someone gets a smashed disk, they probably won't bother going to the expense of recovery.

        If its something of value, like military secrets, then it may be worth the cost to the enemy to recover. But if someone wanted a set of hospital files, its probably cheaper to hire someone to hack them.

      2. Is it me?

        Re: At the idea of breaking the platters...

        Actually there's a company in not far from this trust that will grind disk drives to dust. If they are serious they would blanco them as well.

        1. Wize

          "...that will grind disk drives to dust."

          Will it blend?

    3. Anonymous Coward
      Anonymous Coward

      I had no idea Mr Jones at number 25 had the clap, I would never have guessed it, he's 87 years old!

      Lucky beggar

    4. This post has been deleted by its author

    5. Ross K Silver badge

      @Benjamin 4:

      @Benjamin 4:

      Huh? You've never seen the inside of a hard disk have you?

      You use a bender or fragger, not a techie with a hammer:

    6. Anonymous Coward
      Anonymous Coward

      Hit the drive with a sledgehammer and.... crash the heads, only they'll be parked so it doesn't do a lot save dent the case.

      The safest way to destroy a drive is to melt it down. That's not likely, so the alternative is to crack the drive open, remove the platters and then apply a metal file to the surface, then bend it in half, then into quarters, then hit it with a hammer to flatten it, then send the platters all mixed up off to recycling. Takes time but it's safer than a sledgehammer. It's also safer than running magnets over the drives (there's still latent markers on the disks that can be read with the right kit).

    7. Anonymous C0ward

      Smash them with a hammer

      If it's a laptop drive, the platters are made of glass. You don't need a sledgehammer for that, a small mallet will do.

      If it's a desktop drive, the platters are made of metal. You'll put a big dent in it but not smash as such.

  2. sabba

    The equation is really rather simple...

    ...if you can't afford to pay a penalty then:

    1. do your job properly in the first place

    2. don't try to cover it up again and again

    I am not overly sure whether it's failings in the recruitment process within the administrative / managerial side of government departments that ensures this level of incompetence or if people just become lazy / disengaged / demotivated to such an extent that they no longer give a f*@k. Either way something has to change. Perhaps if the fund cannot afford to pay the penalty their chief exec should do the honourable thing and throw him-or-herself on the proverbial sword (perhaps with a ban on their taking up a similar role for the next 5 years).

    1. Anonymous Coward
      Anonymous Coward

      Re: The equation is really rather simple...

      His name is Duncan and I believe the CEO is only on £298,000 pa with benefits, so there may be a cash shortfall even if he does fall on his sword.

      If he does he will just go to another trust and start again but on a higher pay scale.

      1. sabba

        Re: The equation is really rather simple...

        The 298k plus benefits would certainly reduce the overall outlay. And with regards to his moving on to another trust, that's why I advocated at least a 5 year ban on his taking up other such posts. The number of times these guys 'do the honourable thing' by resigning only to move on to another similar role to do it all again (after using their golden parachute of course).

  3. KjetilS


    "We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal."

    ... yeah, that really helps if a regular person says the same thing.

    "Sorry officer, I can't afford to pay that fine, so you can't fine me. Pardon me while I get back to breaking the law."

    1. despairing citizen

      Re: Excuses...

      If the appeal ends up in front of a judge, the cost is going to be a damn sight higher than £325k.

      They don't have a case, they have clearly failed to understand, let alone comply with the relevant legislation. I can see a judge awarding costs on this for NHS stupidity, and wasting time appealing.

      Please get the twit CEO out of the office whilst the trust still has some money left.

      1. Intractable Potsherd

        Re: Excuses...

        I'm not sure that there isn't a case. There is certainly sufficient evidence given to this point to say that the Trust did a good job of maintaining the drives in a safe place, etc. The incompetence comes in at the level of the contractor that allowed a fly-by-night operator to do a job that should have been handled to the highest standards, not the lowest.

        I am a little baffled, though, that the drives were allowed out of the building without any form of encryption and/or wiping (even writing random 1s and 0s would be better than nothing). As an earlier commenter mentioned, few people would go to the trouble of trying to get information that has been well scrambled off a drive with no history of where it came from.

        Don't get me wrong, someone needs a kicking. I think (on the evidence given so far) that the contractor should be taking the hit for this.

  4. Nev


    ""In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal."

    Can we try and use that defence for parking and speeding fines too, then?

  5. Colin Millar
    Big Brother

    Ridiculous money-go-round

    One crat passing tax-payers money to the next crat leaving the first crat with a financial hole that yet another crat will have to fill - what kind of cnut dreamed up this sytstem? Oh yes - yet another crat. I wonder if any of these people actually ever think beyond the end of their own desk?

    Big brother would be watching you but he's too busy sharpening his pencils.

    1. despairing citizen

      Re: Ridiculous money-go-round

      The purpose of the fine is to make it painful for the budget holder, so that;

      (a) they take action to aviod being fined

      (b) that heads role, and the next person in charge has his mind sharply focussed the next time somebody suggest tossing out some disk drives

      Personally I would like to see directors and officers in the NHS held personally accountable for the fines, but short of that this is as good as it gets.

      PS. Nationwide got a base £1.4m fine from the FSA, when the data was stolen from a locked house

  6. fighne

    ?? in this time of austerity....

    but they can afford to pay someone £143,000....

    May be his advise was 'just ignore this stuff nobody ever gets fined'!

    1. Nev

      Re: ?? in this time of austerity....

      Look like he got some nice pay rises too:

      "Duncan Selbie, chief executive of Brighton and Sussex University Hospitals Trust has an annual salary of between £180,000 and £185,000. "

      Stepping down in July to head up some Quango:

  7. Whitter

    One hopes there will be an additional fine for a trite reason for appealing the first one.

    And that the chief exec and chief IT man are sacked. Its not their money to pay the fine, but was their resposibility not to allow the stuff to KEEP on happening.

    1. The BigYin


      In buckets. Either they lied or did not properly investigate. Either one I would call gross professional negligence. Heads must roll (with no golden goodbye, pension protection or anything).

      Out on the street, just like anyone else.

      But this is government luvvie duvvies we are talking about. Just watch, those at the centre will pop-up again as "experts", "thought leaders" or with some other vacuous title.

  8. MJI Silver badge

    No fine - just sackings

    Get rid of chief exec - too highly paid - only people I feel who should be on high wages in hospitals should have years of training and get called Doctor (OK I know about consultants).

    Also whoever authorised the useless contracter.

    As to fining NHS - just no OK.

    1. The BigYin

      Re: No fine - just sackings

      Doctors are already highly paid (and rightly so). It's nurses and cleaners you want to worry about.

      1. MJI Silver badge

        Re: No fine - just sackings

        Actually you are right, but to be honest I feel that the chief executive of a hospital should not be the huge earners.

        The people who operate on you and make you better should be the highest paid people in a hospital NOT a beaurocrat

        1. The BigYin

          Re: No fine - just sackings

          @MJI - they are all equally important.

          The cleaners make sure you don't catch whatever the poor sod next door has.

          The nurses make sure nothing bad happens to you and that treatment is administered.

          The doctors figure out what that treatment is.

          The managers make sure the kit is available for you to be treated.

          What should not happen (and you are quite right about) is for a pen-pusher to be mah-hoos-ively overpaid.

          If fact, regardless of industry, the people at the top getting paid orders of magnitude more than those at the bottom (who do the actual work) is a serious issue in or society.

          1. MJI Silver badge

            Re: Big Yin

            Well I had an operation last year so was in a week.

            Nurses were good, but I did not appreciate being woken at 3 in the morning for a blood pressure check and being in agony as the pain killers had worn off - needed morphine to get back to sleep. (few hours after op).

            My biggest complaint was lack of communication between staff, and me being trial and error.

  9. keithpeter Silver badge

    How often?

    "...and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay."

    Sounds expensive, and the original contractor is getting paid, unless they got ebay to remove listings &c

    If the contractor had spent the time writing random bits to the hard drives, would anyone have ever known about this? I'm assuming the contractor is off the hook as there was no proper contract.

    1. Anonymous Coward
      Anonymous Coward

      Re: How often?

      Had the drives been erased to military-grade specifications, then re-selling them on eBay should be a non-issue.

  10. David 45


    It always seems slightly ludicrous to me to fine a public body like the NHS or a local council, as the money ultimately comes out of tax-payers' pockets anyway. Surely there should be a personal come-back against whoever caused the problem in the first place, as a deterrent, otherwise errors will continue. Admittedly, this would probably require additional investigation by the ICO but that's what they're for, presumably.

  11. kain preacher

    How come the subcontractor was not fined to ?

    1. mccp

      Maybe because they didn't have a contract? Presumably the ICO reckons that it's not good enough just to ask someone to get rid of a few hard discs; there should have been a proper contract in place that required that the drives were decommissioned properly.

      If there had been a proper contract in place, then the NHS would be in a position to sue the contractor _and_ to defend itself against the fine (IANAL).

      1. ed2020

        Even if nothing was written down there is still a contract in place - there was an exchange of goods/services for payment.

        Even if there is no documented evidence of the expected destruction of the drives surely nobody's going to believe the NHS were paying a third party to flog old kit, containing sensitive information, on eBay.

  12. Winkypop Silver badge

    Meanwhile, at the appeals tribunal.....

    ....the chief prosecutor diligently saves his documents on that cheap hard drive his assistant bought on eBay....

  13. Kevin Johnston

    Repeating I know but...

    As said by many above and on all too many similar articles...

    DON'T fine the public body, fire and then prosecute the senior managers. If it involves sub-contractors then prosecute them too.

    The lines of responsibilty should be down in written procedures and if you are listed as the person responsible for making sure it works then you take the blame, the marching orders and the legal slap when it doesn't (do not pass Go, do not collect ANY money). The only defence would be to show that people deliberately ignored the process at which point they go onto the bonfire instead.

    1. Anonymous Coward
      Anonymous Coward

      @Kevin Johnston Re: Repeating I know but...

      Let's not forget the situation where Mr. IT was given verbal orders by some higher-up to skip the bidding process, or rig the bidding process to ensure Contractor X get the contract, because Mr. Higher Up has a coxy relationship (kick-backs from) Contractor X,

      Corruption -- it usually goes all the way up to the top.

  14. frank ly

    "It is a matter of frank surprise ... "

    Surprise doesn't cover it. I was amazed by the stupidty and gobsmacked by the mendacity of all involved.

    How is it that we live in a society where this can happen? What the F can we do to stop it?

  15. Ross K Silver badge


    £325k? That's nothing. The annual wage bill for a couple of NHS managers maybe...

    It's not going to affect the quality of service the NHS provides its' "customers", so I dunno what that mouthpiece is moaning about. I'd be all for multiplying that fine by 10, except that it's the taxpayer who gets shafted in the end.

    1. Soruk

      Re: £325k?

      That's not nothing. How many nurses would that pay for? How many operations would that pay for?

      1. Dave the Cat

        Re: £325k?

        Nurses - around 4 nurses pay and pension for one year, depending on experience and length of service

        Operations - Again depending on type, roughly 10 heart transplants or 3.5 liver transplants (inc lifetime of aftercare) or 46 Hip replacements,

        Other NHS Services - 3066 individual trips to A&E or 13540 GP appointments (no drugs) or Treat 280 severe asthma patients or treat 15 breast cancer patients with Herceptin for one year or treat 9 cancer sufferers in one year with chemo and radio therapies***

        That is all.

        *** Figures are a few years old now ( < 5yrs).

      2. Ross K Silver badge

        Re: £325k?


        OK I should have made the sarcasm in my post clearer. There are NHS managers out there making (I nearly used the word "earning"...) more per year than David Cameron or Angela Merkel - a figure of £145k was mentioned by someone earlier...

        That's wrong. These guys are doing nothing to improve anybody's lives except their own.

    2. despairing citizen
      Big Brother

      Re: £325k?

      The maximum fine for those regulated by the ICO is £500k, the government probably guessing who was going to be picking up most of the fines chickened out, and did not set it to the FSA standard.

      The FSA gets to think of a suitably painful number and demand it as a fine. The most similar case to this was the Nationwide stolen laptop, which earnt them a £1.4 base fine (reduced because they reacted quickly to plug the hole)

  16. wowfood

    so let me get this straight

    The NHS cocks up, primarily because they don't have the money or staff to keep a propper eye on things. The way to solve the issue is to fine them even more money, so they have even less money to hire reputable companies or staff, which will lead to more cockups and fines.

    Its like the idea of giving them a lower budget so they don't have enough doctors, so they wind up paying 10* a normal salary for a temp.

    Why don't we just take away all their money, let the system collapse and move to a healthcare system like the USA has, because that's clearly where the government wants us headed.

    1. despairing citizen
      Big Brother

      Re: so let me get this straight

      The NHS has lots of money, and it is the largest single employer in Europe.

      What it lacks is qualitity employees in managerial posts (i.e. it needs less managers, and more management)

      It is also worth noting that all NHS IT jobs come with the tag "must have previous NHS experience", despite the track record of failure in NHS IT.

      You also end up with managers sending SHOs rather than consultants ("to save money") to see new cancer patients at a comunity hospital (i.e. no backup), and then wonder why they end up in court with the next of kin, and a bunch of barristers.

      Consultants maybe expensive, but their hourly rate is less than a barrister! - No Brainer!

      So the problem is not number of bodies or size of budget, it is simple competence

  17. Tony S

    Sex Ed

    Perhaps all of the staff involved in this should be given the clap!

  18. Thomas 4

    And the moral of the story is....

    Don't buy clapped out hard drives off eBay.

    1. The BigYin

      Re: And the moral of the story is....

      No, the moral is do buy clapped out drives off eBay in the hope of getting some juicy info you can sell to the press.

      In "the public interest" of course.

  19. Christoph

    Asking for it

    They locked up the drives for two years, then moved them somewhere else, then looked around for someone to sort them out? Hardly surprising that it went wrong.

    If drives with extremely sensitive data were redundant and removed, they should have gone straight to secure destruction.

    And surely an NHS region can find enough spare cash to get some gadget that can mangle a disk drive beyond the ability of anyone short of GCHQ to recover data from it.

    1. Nick G

      Re: Asking for it

      Or at least encrypt them...

      At the trust I work at, any pc with Patient Identifiable Data has to be encrypted - not only for safety when finally disposing of them, but in case a patient nicks them...

    2. Anonymous Coward
      Anonymous Coward

      Re: Asking for it

      "surely an NHS region can find enough spare cash to get some gadget that can mangle a disk drive beyond the ability of anyone short of GCHQ to recover data from it."

      Yes, it's called "a PC" (with a CD-ROM or USB boot capability).

  20. Anonymous John

    It should count itself lucky.

    That the ICO didn't add a £15 victim surcharge.

  21. ukgnome

    I worked as a contractor for the NHS a while ago. All end of life kit was placed in storage until it was cost effective to contact the WEEE man. All hard drive had been taken out and when the WEEE man arrived he would shred them on site.

    Now I can't speak for other authorities, but the one that I worked for had that policy. Part of the problem is the fragmentation of the NHS. If everyone sat under one roof with a nominated supplier then this wouldn't happen. However this is more likely now that "competition" will be introduced as part of government reforms.

  22. Anonymous Coward
    Anonymous Coward

    What I hate about IT

    This is what gives IT a bad name. The contractor clearly had no idea what he was doing, and if he did then he should go to prison.

  23. John Brown (no body) Silver badge

    How feckin' long?

    "The Trust decommissioned a number of hard drives back in March of 2008, which were then stuck in commercial storage in a locked room watched by CCTV. Two years later, around a thousand of the drives were moved to Brighton General Hospital and put in a room that could only be accessed with a key code."

    WTF were they doing in paid for commercial "secure" storage for two feckin' years?

    And of the "around a thousand" which were moved back to local storage, how many were left and still being paid for in storage?

    I could probably have bought or built a shredder, destroyed the drives, documented the process and still made a healthy profit just based on the storage costs alone. (you don't think they paid the £5-10 per week we mere mortals can hire storage space for, do you?)

  24. Trollslayer

    Think about this

    If they have a policy of ignoring basic procedures and lying here what makes you think they do anything else when it comes to managing patient care?

    The negligence and outright lying must be punished and SEEN to be punished.

  25. ZenCoder

    Why not securely erase the drives and sell them?

    Is their really any way of recovering data from a hard drive that's been overwritten three times by random numbers. Once is enough to prevent any normal data recovery.

    Since the write head will be slightly out of alignment on each pass, I suppose if your using a device that is several orders of magnitude higher in resolution you could read the current and an old track, but once its been overwritten three times, it would be a mess of overlapping magnetic fields.

    You could write some software that will log the serial number and model numbers reported by the drive after its been securely erased. That way the workers can't get lazy and not process the drives.

  26. Derichleau
    Thumb Down

    Picking on government agencies again

    This is yet another example of how the ICO focuses its resources chasing after government agencies. Contrast this with commercial organisations and the ICO don't want to know. The ICO's record of dealing with commercial organisations is appalling. They can't even carry out an audit against a company without first obtaining permission from the company to do so. And they send out mixed messages all the time. For example, I know for a fact that the ICO will not prosecute for a contravention of the PECR2003. Nor will they prosecute for failing to comply with a section 11 DPA98 request. Yet apparently they're going to kick-ass over tracking cookies? How do they explain the inconsistency?

    1. Lockwood

      Re: Picking on government agencies again

      I had a slight rant the first time this came up.

      Good that the NHS are challenging it.

      To the people who say that heads should roll in the NHS, I ask you why?

      You ask me to do a task.

      I say that I will do the task.

      I get Bob down the pub to do the task.

      Bob fails.

      You get in deep poopies because of Bob's action.

      1. Bob Asic

        Re: Picking on government agencies again

        Did some one call? :)

  27. despairing citizen

    Where to start

    So no clear ownership of the data management process

    Hired "fred in a shed" to carry out work involving S2/DPA98 data

    Didn't write a proper contract (therefore probably no transfer of liability and duties with the drives)

    Did anybody check that the end party has the appropriate procedures and equipment to dispose of the drives?, do they have the appropriate professional indemnity cover?

    There are a lot of people in the NHS with the word "manager" in their job title, yet to meet many people in the NHS that I would call a Manager.

    1. JasonB

      Re: Where to start

      The problem with the NHS is quite simply that on-one in authority seems to take confidentiality seriously.

      Brighton will have a Data Protection Officer, but you can bet he (or she) is so low on the pecking order that he/she can safely be ignored. Communications Managers and Business partners are paid a small fortune, not to mention all the experts that are hired in as 'consultants' to give ... erm ... advice on stuff.

      I've been to one or two seminars with ICO spokesmen there and they take the attitude that if the organisation structure for confidentiality is wrong that will bump up the fine. Might explain the high fines being given to the NHS then.


  28. Anonymous C0ward

    I am gonna have a heart attack and die

    from that surprise.

  29. Stuart Grout

    Pay the fine and go after the contractor

    I assume the contractor the NHS was paying was responsible for doing the job correctly.

    They failed and landed their customer with a big fine. I'd be very surprised if the NHS couldn't go after the contractor for the fine and any other expense they can think of. Then maybe the contractor would be even more careful about which subcontractor they employed.

    1. ZenCoder

      Re: Pay the fine and go after the contractor

      Maybe they didn't have a proper contract with anyone, in which case the blame reverts back to them.

This topic is closed for new posts.

Other stories you might like