On Friday, 15 Feb 13, the Information Commissioner’s Office (ICO) announced that the UK Nursing and Midwifery Council (NMC) had been fined £150,000 for a breach of the data protection act. (It is worth bearing in mind that the NMC has recently raised the registration fees for Nurses to £100 per year)
It seems that this fine is the result of the NMC sending evidence for a disciplinary hearing by post. The following is from the ICO press release:
The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
and David Smith, Deputy Commissioner and Director of Data Protection added:
The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.
This pretty much explains the fundamental mistake here.
For the want of a policy document and free or low-cost encryption software, the Nursing and Midwifery Council has been fined £150,000. That is close to one hundred times the cost of doing things properly – even if the creation of the policy documents had been fully outsourced.
This is a fundamental failure of security risk management and a sign that, worryingly, an organisation with access to evidence, sensitive personal data and financial records doesn’t have a robust enough security management approach to realise the risks it is taking with information.
Based on the information in the ICO statement it appears there are some lessons that can be learned from the NMC fine:
- Sending documents by courier is not a problem and is often the best mechanism where there is a lot of data (potentially over 14gb of data in this instance), but you need to have a policy governing this in place.
- Any sensitive data should be encrypted – be it on USB, DVD or over the internet. Encryption is cheap (free) and easy to use.
- Asset registers and document control registers are essential. In this case, it seems likely that the disks were mislaid prior to shipping but there doesn’t appear to be any record of what was given to the courier or where items were stored. This is very poor practice, especially in light of the fact it was to be used as evidence for a disciplinary hearing.
- Security risk management is not optional. Without it (or if it is malfunctioning) your organisation faces massive costs and, as always, ignorance is never a defence.
The important point, and it can never be stated enough, you need to have a well thought out, well managed and well resourced (staff and budget) approach to security otherwise you will suffer a data loss. The costs of a security breach frequently significantly outweigh the costs of prevention.
If you, or your organisation, handles sensitive data (personal or not) then you absolutely need to make sure that you know where all your assets are held (asset register), that you have some process for tracking how & where you send assets (issue and receipt logs), and that you have a security policy explaining how all this works.
Anything else is such poor risk management you need to make sure you have some funds put to one side to cover the inevitable breaches. (If you work for the NMC and want help on how to implement this then get in touch, we can offer a special rate…)