This post was written by Cynthia O’Donoghue.

The UK Information Commissioner’s Office (“ICO”) has issued its largest-ever fine of £325,000 GBP ($503,705 USD) to Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff, including information relating to sexual health and HIV, on hard drives sold on an Internet auction site in October and November 2010. This marks the highest fine for a “serious breach” of the UK Data Protection Act issued to date by the ICO. In April 2010, the ICO was granted additional powers to issue monetary penalties of up to £500,000.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said in a statement that the high amount of the penalty “reflects the gravity and scale of the data breach.” The fine is also meant to deter lax compliance by warning organisations that they remain liable for the information management activities they outsource.

The Brighton and Sussex University Hospitals NHS Trust had outsourced the destruction of 1,000 hard drives which contained the sensitive data to a third party. However, rather than being destroyed, some of the hard drives were sold in an auction.

Since January 2012, the ICO has issued at least eight fines ranging from £70,000 to £140,000 for various serious data breaches. Some of the highest penalties issued to date have included:

  • £140,000, issued in January of this year against Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five occasions
  • £130,000, issued in December 2011 to Powys County Council after the details of a child protection case were sent to the wrong recipient
  • £120,000 issued in June 2011 against Surrey county council after sensitive personal information was emailed to the wrong recipients on three occasions

The ICO is increasingly using its powers to issue fines and, by doing so, sending a strong message that serious breaches of the Data Protection Act will not be tolerated.