The Information Commissioners Office has handed out an unusually severe £150,000 fine to the Nursing and Midwifery Council for losing unencrypted DVDs full of sensitive data while they were being transported to a misconduct hearing.
The three DVDs of highly sensitive witness videos of children were supposed to delivered to a Cardiff hotel for the nurse’s fitness to practise’ hearing on 7 October 2011, but the package was found to be empty.
Despite there being no obvious sign of tampering, the DVDs were never found.
A key issue for the ICO appears to have been the lack of encryption of the material and the fact that the Council - itself the UK's nursing regulator - turned out to have no policy for ever securing physical media, either in transit or while being stored.
Worse still, it emerged that the organisation had sent unsecured DVDs to such hearings before.
“The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk,” said ICO deputy commissioner and director of data protection, David Smith.
“Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty,” he said.
“It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again.”
The ICO first published advice on securing portable media in 2007, it pointed out.
The Information Commissioner did note that the Nursing and Midwifery Council had reported the incident after carrying out an investigation and that remedial action had now been taken.
The fine counts as a towards the upper end of the spectrum for the ICO although still well below the £250,000 fine slapped on Sony for its 2011 PlayStation hack.