A nursing home has been fined £15,000 by the UK Data Protection Regulator, the Information Commissioner’s Office (the “ICO”), because it did not take adequate steps to protect personal data taken home by a staff member on an office laptop. The laptop was stolen from the staff member’s house during a burglary.
What was on the laptop?
The laptop contained information concerning staff disciplinary matters and absence (including reasons for absence and medical certificates) and information regarding residents’ physical and mental health conditions. This is sensitive personal data for the purposes of the Data Protection Act 1998 (the “DPA”).
What does the DPA say?
The DPA requires organisations to take steps to ensure the security of the personal data that they hold. The level of security needed is based on: the current state of technology; the cost of measures relative to the size of the organisation; the likely harm arising from loss; and the nature of the personal data to be protected.
In this case, because the sensitive personal data related to health conditions and vulnerable adults, this necessitated the nursing home taking heightened data security measures than would be necessary in the case of non-sensitive personal data.
What did the ICO find?
The ICO’s investigation found that the nursing home did not have appropriate data security measures in place, particularly in relation to homeworking and mobile device storage, and did not provide staff with appropriate data security training. The ICO added that the laptop issued to the staff member for homeworking purposes should have been encrypted – password protection alone was not enough.
The ICO considered the security breach to be serious due to the number of individuals involved and the sensitive nature of the personal data on the stolen laptop. The breach was also likely to cause substantial distress to the individuals involved, as they would expect the nursing home to hold their personal data securely and would not expect an unauthorised third party to have access to and make use of it.
The ICO highlighted that the level of fine was commensurate with the size of the nursing home business and a larger home would be likely to face a significantly higher fine for the same breach.
What does this mean for our organisation?
The ICO’s findings here are not unique to nursing homes or indeed the care sector. They are relevant to any organisation deploying mobile devices for work purposes and which permit or do not prevent staff from homeworking.
The risks are further intensified if an organisation supports “BYOD” or bring your own device policies, which allow staff to use their own devices for work purposes, ranging from remote e-mail access on a personal mobile phone or tablet device through to full systems access.
What can our organisation do to avoid this happening to us?
Including staff Data Protection training in induction programmes, together with frequent refresher training, is a good starting point but this in itself is not enough. Policies and procedures relating to data security and breach incident response should also be implemented to put your organisation in a robust position if and when it is faced with a data security breach incident. Not doing so could have significant financial consequences and result in negative PR – neither of which is good for your business.
In the event of a breach incident, you should inform the individuals concerned and reassure them that you have been proactive in minimising the breach fallout. Individuals should also be advised to remain vigilant of any suspicious activity following the incident, such as unauthorised bank transactions (if relevant). Doing so goes some way towards reducing the size of an ICO fine and protecting your organisation’s reputation and public image.