On 15 February the ICO announced that three days earlier it had issued a Monetary Penalty Notice of £150,000 against the Nursing and Midwifery Council (NMC) over the loss of three unencrypted DVDs. The amount payable can be reduced by 20% if paid by 15 March 2013.
The lost DVDs included witness interviews concerning a ‘fitness to practise’ (FTP) investigation into a health professional being held at a Cardiff hotel. “The DVDs,” says the ICO, “contained confidential and highly sensitive information relating to alleged offences by a nurse and information about children who were identifiable from that information.” Two of the affected individuals, it added, “are vulnerable children.”
The information required for the hearing was packaged in the NMC offices and collected by a courier on 7 October. They were delivered to the hotel three days later. The packages showed no sign of tampering, but the DVDs were missing and have never been found. The problem as far as the ICO is concerned is that they were unencrypted.
“While many organisations are aware of the need to keep sensitive paper records secure,” commented David Smith, deputy commissioner and director of data protection at the ICO, “they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.”
In fact, the ICO’s position on encryption is very clear: “The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.”
Smith added, “Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.”