The Data Protection Act 1998 requires organisations to have measures in place to keep any personal information which they hold secure. The Information Commissioner’s Office has imposed a fine on a nursing home of £15,000 for failing to keep personal information secure; the breach occurred when a member of staff took an unencrypted work laptop home, which was stolen overnight during a burglary. The laptop contained sensitive personal information relating to 46 members of staff, including reasons for sickness absence and information about disciplinary issues. The laptop also held details about 29 residents including their dates of birth, mental and physical health and “do not resuscitate” status.
An investigation by the ICO found widespread systematic failings in data protection at the nursing home at the time of the breach. The investigation discovered that the home didn’t have any policies in place regarding the use of encryption, homeworking and the storage of mobile devices, or provide adequate training for staff on data protection issues.
The level of the fine reflects the fact that the nursing home was a small business. It is likely that a larger organisation would receive a much heavier fine in similar circumstances.
For more information on the measures that you should put in place to comply with the Act, contact David Vaughan-Birch.