LAST week we reported about a possible data breach by the trust that runs Basingstoke hospital, after personal information about women who had suffered a stillbirth was published online.
The information about three women included details of their previous miscarriages and pregnancy terminations and was listed as ‘restricted’ in the documents, which were freely available for anyone to access.
The matter was reported by Hampshire Hospitals NHS Foundation Trust (HHFT) to the Information Commissioner’s Office (ICO), after the Gazette raised concerns about the published information and that it could lead to the women being identified.
Here, we look at what happens next, and what, if any, enforcement action the ICO could take.
The ICO considers data breaches and collates further information on similar issues, looking at the possible breach alongside others raised about the organisation, to help contribute to its understanding of the overall performance.
In cases where a clear and serious breach of the legislation has taken place, the ICO will take direct action. If there has been a serious failure to comply with the law, the ICO will provide advice and instruction to help ensure the organisation gets it right in the future.
It may take enforcement action if it feels the organisation isn’t taking its responsibilities seriously, which could range from light to severe – from warning letters to fines.
In the most serious cases, a penalty of up to £20m could be imposed.
Information from the ICO states: “A breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised.”
HHFT has apologised for the distress caused and said it would be offering support to the three women affected.
A spokesperson for the trust said it is now “actively investigating this matter internally, and working with the ICO”
Figures from the ICO for the last year show that there were 419 data breaches in the health sector, with the largest number (59) a result of loss or theft of paperwork, or data left in an insecure location.
This was closely followed by data posted or faxed to the incorrect recipient, of which there were 55 breaches.