The Chief Executive of Brighton and Sussex University Hospitals NHS Trust has come out fighting. Having just received a record £325,000 civil monetary penalty for DPA breaches, Mr Duncan Selbie has declared that he doesn’t understand what is going on, and he will appeal the CMP forthwith. There is a small part of me that hopes he is right. If I ever get my wish to retire to the Flanders countryside to run a microbrewery, first brew out of the garage will be one called Schadenfraude. The spectacle of the ICO enduring an epic reversal would not be unenjoyable.
Mr Selbie may miss the Tribunal as he is leaving the Trust to take over a new quango called Public Health England (one can only hope he maintains the same high standards in his new role). Meanwhile, someone else will presumably step up to refute the ICO’s case with a fully-worked out contract signed by the Trust and its contractors, setting out exactly what security measures they were to employ, and how they deal with subcontractors. They will thrill the Tribunal with records showing that they knew exactly who the chap who spirited 252 hard drives out of his premises was, that their tight security was foxed only by means of a Mission Impossible rope trick, and the precision with which the Trust checked how their requirements were being carried out will make passing watchmakers weep with envy.
On the other hand, if the defence really is the current line of A Big Boy Did It And Ran Away, one can only fear for Selbie and the Trust’s brass neck when the scrap metal thieves get wind of it. For the record, when this one is resolved, my money is on the Information Commissioner popping corks from bottles called I Told You So.
The facts in the notice are these – and unless Brighton disputes them, they should follow their own corporate rules (two of which are ‘lead not blame’ and ‘solve not excuse’) and just pay the fine. The contract between Brighton and their main contractor SHIS had expired. In any case, it did not set out security requirements that SHIS have to follow, and does not prevent SHIS from using a subcontractor. Brighton apparently did not even know that SHIS used one. This suggests that when he came into their premises and took away at least 252 hard drives, Brighton did not know that he was a subcontractor – in a sense, they did not know who he was when he was in their building, taking away their patients’ precious data. No alarm bells range when the subcontractor was willing to dispose of thousands of hard drives unpaid. Even when the breach was first pointed out to them, the Trust was unable to recognise its true scale.
The ICO is not beyond making a mistake. If these are not the facts, they owe Mr Selbie and his Trust an abject apology. But if they are right, Mr Selbie’s claim not to understand why his organisation has been punished is remarkable and worrying. A third party with no contract was able to enter a Trust building and take hundreds of hard drives unnoticed, even though nobody really knew who he was. If the organisation was so reckless with its money, I doubt he would be so bumptious. However, this apparently complacent approach is effectively the same thing. No amount of shroud waving about what they could have spent the penalty money on makes any difference. The cost of avoiding this shambles altogether would have been tiny by comparison. The cost of creating a framework sufficiently robust to prevent the ICO from being able to argue that the incident could have been prevented – even if it had happened – would have been even smaller.
Here’s what they needed to do:
- Have a clear contract with their contractor, putting them under obligations to look after personal data properly
- Ensure that the issue of subcontractors was properly dealt with – either forbidding them or requiring any subcontractors to be put under the same obligations
- Obtain evidence periodically that the above was being complied with
Anybody could have done these things, and every day, thousands of organisations large and small do just that. If they had done these things, the CMP would be misconceived. If they haven’t done these, the incident is appalling and their reaction is even worse. Any attempt to appeal without evidence of the proper contracts and checks in place – especially as an appeal will require them to pay for legal representation and commit further time and resources – would be a scandal.
An organisation must be allowed to defend itself robustly when the ICO comes calling, especially as some of the recent CMPs have focussed on mishaps that could happen in any organisation. I’m not convinced that having work documents in your bag in the pub when it is stolen should carry a £100,000 price tag. I think the Commissioner sometimes hits another CMP target by over-egging the link between an email sent to the wrong place and a missing policy that may not have made any difference. But the account given of Brighton’s apparent inaction distinguishes it from many of the other CMP cases. It’s why the ICO’s blinkered focus on security breaches is sometimes absolutely right.
If these facts are correct, this punishment is entirely justified. It sounds like a systematic corporate failure, not a one-off cock-up, precisely what the CMPs were designed for. Having inadequate contracts that allow uncontrolled strangers able to access the most private and sensitive of health information is very different to sending an email to the wrong recipient. I enjoy a bit of ICO-bashing more than most, but they have it exactly right here. Mr Selbie should show real leadership, by apologising for this shambles and taking his medicine.