The Nursing and Midwifery Council (NMC), the UK's regulator of nurses and midwives, sent three DVDs relating to a fitness to practice hearing by courier. The DVDs contained confidential and highly sensitive information (including video files) relating to alleged offences by a nurse and information about children who were identifiable from that information.
When the packages that had contained the DVDs were opened following delivery, the DVDs were missing. The DVDs were not protected by any form of technical security, such as encryption of the video files, and the NMC had no policy requiring the encryption of this data either while held at its offices or during transit to the hearing venue. The NMC had not been able to recover the DVDs.
The Commissioner held that there had been a serious breach of the data protection principle that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The NMC should have ensured that any removable media containing sensitive information was encrypted prior to sending it to the hearing venue. The breach was likely to cause substantial damage or distress to the relevant individuals as their confidential and highly sensitive personal data may have been disclosed to a recipient with no right to see that information, and might be further disseminated and possibly misused. The NMC should have realised that the practice of sending removable media containing sensitive personal data in an unencrypted format constituted a serious risk, which could easily be avoided. The NMC was therefore fined £150,000.
In the ICO's commentary on the decision, it emphasised that while many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.