The ICO has finally blown the metaphorical doors off it, handing down a fine of £325,000 to an NHS Trust for what charitably be described as an absolute shocker of a data breach
You can read for yourself the details here, and the general squirming of the organisation as it attempts of get out of coughing up the whopping fine. Interesting to note the use of the word Austerity in a mitigation plea for the first time. More of that in a moment
To my mind, this illustrates Graeme’s 3 Laws of Information Security down to a tee. The Laws are:
Law Number One: You Cannot Outsource Risk. It’s yours, and yours alone
Law Number Two: By implication of #1, you cannot outsource liability.
Law Number Three: Don’t Get Caught
Admittedly, number three is borrowed from The Eleventh Commandment of the Security Services (‘Thou Shalt Not Get Caught’). But it’s the first two that are of use here when we examine the case.
The reality of the situation is, an organisation was employed to dispose of the data properly. For whatever reason, it didn’t happen. One would hope that the Trust had in place contractual obligations and penalties for breach of these obligations, BUT, it’s still the data belonging to patients of the Trust, collected and used by The Trust. That ownership is not transferred just because a contractor is handling the media. And that ownership has explicit meaning when it comes to liability. The ownership of the risk is never transferred, and so the Trust is liable.
The next question is regarding the fine, and its likely payment. I’ve raised before that the ICO will never have credibility (and therefore change behaviours, as is its purpose in life right now) until it hands out a big fat fine. Big fat fines work because they have more chance of impacting front line services, generating lots of adverse PR, comment and general wailing and gnashing of teeth. This appears to be the case here.
The downside is, by playing the Austerity card and maybe referencing the precedent of the ICO quietly reducing fines (again, covered by me in the past), they will probably get away with coughing up less cash than they’ve been fined.
The irritation of all of this is that it an appalling breach, clearly far worse than any offcially made public so far, and therefore demands the worse fine so far. I just fear that weasel words and precedent will render the process impotent.