Brighton and Sussex University Hospitals NHS Trust has said it “simply cannot afford to pay” a £325,000 fine handed down by the Information Commissioner’s Office and is appealing to the Information Tribunal.
The ICO announced last Friday that the trust had been issued a record-high fine of £325,000 for breaching the Data Protection Act.
The breach occurred after a contractor that the trust paid to destroy hundreds of hard drives, containing sensitive patient information, instead sold them on eBay.
ICO deputy commissioner and director of data protection David Smith said the trust “failed significantly in its duty to its patients” and the fine should set an example for all organisations.
However, Brighton and Sussex University Hospitals chief executive Duncan Selbie said the trust disputed the ICO’s findings, especially the charge that the trust was reckless, which is a requirement for any fine.
He added that in times of austerity, the trust hasa pressing duty to deliver the best and safest care to its patients with the money available.
“We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.”
Selbie said the Information Commissioner’s Office had ignored the trust’s extensive representations.
“It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine,” he said in a statement.
“[We have made] repeated attempts to find out, including a freedom of information request, which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’.”
Selbie said no sensitive data had “entered the public domain” due to the hard drives theft.
“We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay,” he said.
“We reported all of this voluntarily to the Information Commissioner’s Office, who told me last summer that this was not a case worthy of a fine.”