Related Links

Related Stories

  • Infosecurity Europe 2012: The ICO on better regulation and better infosec
    Christopher Graham, the UK Information Commissioner, talks about his role as an information regulator and facilitator at Infosecurity Europe in London
  • Not too late to prepare for cookie law deadline, says ICO
    Information Commissioner Christopher Graham says it is not too late for UK organizations to prepare for the "cookie law" deadline at the end of May.
  • Law Society tougher than the ICO on Andrew Crossley
    Andrew Crossley was the solicitor behind the ACS:Law scandal. His firm sent out some 20,000 speculative letters to ‘illegal file sharers’ demanding payment of £500 in reparation to his rightsholder clients (in this case MediaCAT, which represented the individual copyright owners).
  • ICO dishes out some of first public sector fines against two councils
    The Information Commissioner’s Office (ICO) has imposed some of its first fines against public bodies after staff with North Somerset Council and Worcestershire County Council sent highly sensitive personal information to the wrong recipients.
  • How to complain about spam to the ICO
    Despite the best efforts of IT security and anti-spam vendors, it seems that the volume of spam getting through to users' mailboxes is still rising – and it's annoying. Now one security researcher with the University of Cambridge Computer Lab says he has had enough and formally complained about the problem to the Information Commissioner's Office.

Top 5 Stories


Welsh board first NHS organization to be fined for data breach

01 May 2012

The UK Information Commissioner’s Office (ICO) has fined the Aneurin Bevan Health Board in South Wales £70,000 for a “serious breach” of the Data Protection Act, the first National Health Service (NHS) organization to receive a data breach fine.

The breach occurred when a doctor emailed a letter with patient information to a secretary for formatting, but did not include enough information for the secretary to identify the correct patient, the ICO said in a statement. The doctor also misspelled the name of the patient, which led to the report being sent to a former patient with a similar name.

The ICO found that neither person had received data protection training and that the board did not have adequate checks in place to ensure that personal information was sent to the correct person. These poor practices were also used by other clinical and secretarial staff across the organization, the ICO noted.

“Aneurin Bevan Health Board failed to have suitable checks in place to keep the sensitive information they handled secure. This case could have been extremely distressing to the individual and their family and may have been prevented if the information had been checked prior to it being sent”, commented Stephen Eckersley, ICO’s head of enforcement.

The board also agreed to address the concerns expressed by the ICO during its investigation. This includes ensuring all staff are made aware of and trained on the organization’s policies on storage and use of personal data, that there is appropriate and regular monitoring of compliance with policies on data protection and IT security, and that new checking processes are introduced across all sites to confirm a patient’s identity before personal information is sent out. 

This article is featured in:
Compliance and Policy  •  Data Loss  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×