Following on from the case reported last month on data protection (”Failing to anonymise – the cost”), a nursing home in Northern Ireland has received a fine of £15,000 from the Information Commissioner’s Office (“ICO”), following the burglary of the home of one of its staff members.
During the burglary, an unencrypted work laptop was stolen. The laptop contained sensitive personal data, including medical information, on the nursing home’s 29 residents (including “do not resuscitate” orders) and personal data on the 46 members of staff.
The ICO’s subsequent investigation found the nursing home had no policies in place regarding the use of encryption, working from home and the storage of mobile devices. Data security training was also found to be lacking. In issuing the fine, the ICO said there had been “systematic failings” at the nursing home.
The fine was issued despite the nursing home referring themselves to the ICO, no complaints being made by any of the staff or residents’ families and no confirmation that the information had been further disseminated. In determining the level of the fine, the nursing home received some credit for having self-reported its breach to the ICO.
The amount of the fine reflected the size of the business, with the ICO stating that a bigger organisation experiencing a similarly serious breach should expect to receive a much larger fine. The case therefore acts as a timely reminder that all businesses must take their legal duties to look after personal data seriously and should ensure adequate policies, procedures and equipment are in place. Simply having a work laptop password protected will not fulfil this duty.