The second NHS organisation to be fined by the Information Commissioner’s Office for breaching the Data Protection Act has said it will appeal against the penalty.
Central London Community Healthcare NHS Trust said it had instructed lawyers to appeal against the £90,000 fine imposed by the ICO after a member of its staff repeatedly faxed personal data to the wrong number.
The penalty notice says patient lists from the Pembridge Palliative Care Unit that were intended for St John’s Hospice were faxed to the wrong recipient.
The problem started when an administrator at the trust agreed to add a second number to an existing fax arrangement, while one of the out-of-hours doctors was on leave.
The administrator failed to obtain management approval or update a protocol requiring a check-call to the hospice to make sure that the information had arrived safely.
As a result, patient lists were repeatedly sent to both numbers. The unintended recipient telephoned the trust to say they had received around 45 faxes over three months.
The faxes included medical diagnoses, information about patients’ domestic arrangements, and resuscitation instructions. Fortunately, the recipient shredded them.
Despite this, an ICO investigation found the trust failed to provide adequate training to the member of staff involved, failed to put sufficient checks in place to prevent the problem happening, and failed to consider alternatives to fax, “such as secure email.”
The trust has since stopped sending inpatient lists by fax to the hospice, carried out its own investigation, and is looking into “more secure” means of sending confidential and personal data to other organisations.
However, in a statement to the BBC, the trust said that while the error was “hugely regrettable” it considered that the information commissioner had “acted incorrectly as a matter of law, and so we have no alternative but to bring an appeal.”
Aneurin Bevan Health Board became the first NHS organisation to be fined by the ICO, which can impose penalties of up to £500,000 for serious or reckless breaches of the DPA.
The health board was fined £70,000 for sending highly confidential information about a patient with mental health issues to the wrong person.