ICO fines Nursing and Midwifery Council £150,000 for data loss

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.computing.co.uk/ctg/news/2244597/ico-fines-nursing-and-midwifery-council-gbp150-000-for-data-loss

The Nursing and Midwifery Council has been fined £150,000 by the
Information Commissioner's Office (ICO) for breaching the Data
Protection Act.

Three DVDs containing confidential information about two children went
missing during the process of a nurse's misconduct hearing, with an
ICO investigation discovering that the data wasn't encrypted.

"The Nursing and Midwifery Council's underlying failure to ensure
these discs were encrypted placed sensitive personal information at
unnecessary risk," said David Smith, deputy commissioner and director
of data protection, criticising the council's handling of the matter.

"No policy appeared to exist on how the discs should be handled, and
so no thought was given as to whether they should be encrypted before
being couriered. Had that simple step been taken, the information
would have remained secure and we would not have had to issue this
penalty."

The ICO urged organisations to take more care when handling personal data.

"It would be nice to think that data breaches of this type are rare,
but we're seeing incidents of personal data being mishandled again and
again," said Smith.

"While many organisations are aware of the need to keep sensitive
paper records secure, they forget that personal data comes in many
forms, including audio and video images, all of which must be
adequately protected."

The ICO deputy commissioner stressed that organisations need to
enforce robust policies when it comes to proper protection of data.

"I would urge organisations to take the time today to check their
policy on how personal information is handled. Is the policy robust?
Does it cover audio and video files containing personal information?
And is it being followed in every case?

"If the answer to any of those questions is no, then the organisation
risks a data breach that damages public trust and a possible weighty
monetary penalty," he said.

The Nursing and Midwifery Council's penalty comes a month after the
ICO fined Sony £250,000 for the April 2011 PlayStation Network
hack.That attack compromised the personal data of millions of
PlayStation users, with the fine representing a record penalty from
the ICO.

However, the comparative levels of the two fines is likely to raise
questions as to how the ICO decides on appropriate penalties in the
event of data breaches.

When asked by Computing to explain the decision-making process behind
the fines issued to the two organisations, the ICO said the figures
were commensurate with its own published guidance.

"One of the key factors when deciding the value of the penalty imposed
on Sony was the fact that the breach affected millions of users and
could have been prevented if the software being used had been kept
up-to-date," an ICO spokesman told Computing.

The ICO document states that one of the determining factors behind the
levels of penalties imposed is the nature of the individuals affected.
It specifically mentions data about children.

 "While the Nursing and Midwifery Council breach only affected a
relatively small number of individuals, it nevertheless resulted in
confidential personal information being compromised. Once again the
breach was preventable, as the sensitive nature of the information
stored on the DVDs meant that the data should have been encrypted,"
the spokesman added.

The ICO announcement of the fine was accompanied by a guide for
organisations about how to properly use encryption when storing data.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.