UK Data Protection Review for February 2013

• ICO fines Nursing and Midwifery Council £150,000 for breaching the DPA

• The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.

• The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered

• ICO stated “failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty”

• Police officers and staff in Wales have broken the Data Protection Act 62 times in the past two years

• They were caught carrying out the breaches for non-policing purposes, BBC Wales has discovered under the Freedom of Information Act. 

• Included checks on partners, relatives and associates, altering their own records, and passing data to third parties.

• Four people were sacked and 14 resigned as a result of the breaches

• ICO calls for Compulsory Data Protection audits of Councils and the NHS

• ICO said Compulsory data protection audits of councils and the NHS are needed to help eliminate "really stupid basic errors"