A nursing home has been fined £15,000 by the UK Data Protection Regulator, the Information Commissioner’s Office (the “ICO”), because it did not take adequate steps to protect personal data taken home by a staff member on an office laptop. The laptop was stolen from the staff member’s house during a burglary.
What was on the laptop?
The laptop contained information concerning staff disciplinary matters and absence (including reasons for absence and medical certificates) and information regarding residents’ physical and mental health conditions. This is sensitive personal data for the purposes of the Data Protection Act 1998 (the “DPA”).
What does the DPA say?
The DPA requires organisations to take steps to ensure the security of the personal data that they hold. The level of security needed is based on: the current state of technology; the cost of measures relative to the size of the organisation; the likely harm arising from loss; and the nature of the personal data to be protected.