Europe, Middle East and Africa

UK Health Service Breaches Data Act When Hard Drives Stolen
Information Security, Privacy and Data Protection

The United Kingdom (UK) Information Commissioner’s Office (ICO) has announced that the Brighton and Sussex University Hospitals National Health Service Trust (the Trust) has received a penalty notice for breaching the Data Protection Act. The breach occurred when an individual employed by the IT Service provider for the Trust sold hard drives containing personal information after being given the responsibility of destroying them. The hard drives contained “highly sensitive personal data belonging to tens of thousands of patients and staff”, including “details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports” as well as “staff details”. ICO deputy commissioner and data protection director David Smith stated that the amount of the penalty imposed “reflects the gravity and scale of the data breach”, adding that in this case “the Trust failed significantly in its duty to its patients, and also to its staff”. The Trust has committed to “providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access”.

ICO’s media release (1 June 2012)
(Source: ICO)

UK Child Care Service Breaches Act
Information Security, Privacy and Data Protection, Records Management

The United Kingdom (UK) Information Commissioners Office (ICO) has announced that the Telford and Wrekin Council has breached the Data Protection Act due to two instances of the disclosure of personal information about children, and has received a penalty notice (28 May 2012) for £90,000. In the first instance, a member of staff from Safeguarding Services sent the child’s Social Care Core Assessment to the child’s sibling instead of their mother who lived at the same address. In the second breach, the addresses of foster care placements of children were included in the Placement Information Record which was shown to the mother of the children, who noted the addresses. The ICO announced that the “council has now committed to taking action including providing Safeguarding Services staff with further training and support on data protection and information security as well as on using the Protocol system”. The council is also “introducing formal guidance on checking documents printed off the Protocol system, and making changes to its configuration”.

ICO’s media release (6 June 2012)
(Source: ICO)

Three Plead Guilty to Insider Trading in UK Regulator’s Prosecution
Insider Trading

The United Kindgom (UK) Financial Services Authority (FSA) has announced that three people have pleaded guilty to insider trading in the course of its prosecution. Blue Index director James Sanders, his wife Miranda Sanders and Blue Index co-director James Swallow have pleaded to insider trading and will be sentenced on 19 June 2012. The FSA had alleged that Miranda Sanders’ sister Annabel McClellan and brother in law Arnold McClelland leaked inside information to James and Miranda Sanders, “who used the information to commit insider dealing in those US securities between October 2006 and February 2008″. James Sanders was alleged to have passed on that information to others, including James Swallow. According to the FSA, as a result of the insider trading, “[t]he total profits generated by the defendants were approximately £1.9 million, while the total profits generated by the clients of Blue Index were approximately £10.2 million”. FSA acting director of enforcement and financial crime division Tracey McDermott said that “[Mr] Sanders and [Mr] Swallow abused their position as approved persons” by using Blue Index “as a vehicle for their criminal conduct and cynically exploit[ing] the inside information they had illegally obtained to try and improve its reputation and profitability for their own benefit”.

FSA’s media release (28 May 2012)
(Source: FSA)

Clothing Retail Group Back-pays Former Unpaid Interns
Employment and Workplace Issues

The Guardian reports that clothing retail group Arcadia has back-payments of hundreds of pounds to dozens of its former unpaid interns. Reportedly, “[i]nterns who worked at Arcadia’s head office in London said they have received cheques for their labour up to a year after their placement with the company’s PR department ended”. The back-payments reportedly follow a series of “health checks” by HM Revenue and Customs to ensure that workers and interns are receiving the pay that they are entitled to under national minimum wage legislation. Interns reportedly described their experience as consisting of “‘menial’ tasks without much supervision”, adding that they were “excluded from any serious meetings or learning experiences”. One intern added that “the company gave her only travel to cover zones 1-6, though she commuted from Worthing, West Sussex, five days a week, and £2.50 a day for lunch”, reports The Guardian. According to The Guardian, a company statement said that the Arcadia “is fully compliant” in payment of interns.

The Guardian: Miss Selfridge interns finally get paid – a year late (30 May 2012)
(Source: The Guardian)

Health Service Faxes Private Data to Wrong Location
Information Security, Privacy and Data Protection

The Information Commissioners Office (ICO) has announced that the Central London Community Healthcare National Health Service (NHS) Trust (the Trust) has been fined a £90,000 Monetary penalty notice (27 April 2012) due to a breach of the UK Data Protection Act 1988. The breach occurred when “patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, were faxed to the wrong recipient”.  The ICO stated that the individual incorrectly receiving the faxes “informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them”. The patient lists “contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions”.

The ICO found that the Trust “failed to have sufficient checks in place to ensure that sensitive information sent by fax was delivered to the correct recipient” and “failed to provide sufficient data protection guidance and training to the member of staff concerned”.

ICO head of enforcement Stephen Eckersley stated that “the fact that this information was sent to the wrong recipient for three months without anyone noticing, makes this case all the more worrying.”

ICO’s media release (21 May 2012)

Related news item:
French Tribune: ICO Imposes £90,000 Fine For Serious Data Breach On NHS (22 May 2012)
(Source: ICO;; French Tribune)