Privacy and Data Security
RSS Feed Email Print
Share
View divider Overview divider Attorneys divider a-pvcblog.gif divider PDF Version
Practice Contacts
Liisa Thomas
T: +1 (312) 558-6149 | Email
Practice Areas
Advertising, Marketing & Privacy Law Practice
Advertising and Entertainment Disputes
Advertising & Promotions Counseling
Advertising & Promotions Transactions
Sweepstakes and Promotions
Privacy and Data Security
Consumer and Communications PrivacyData Breaches and SecurityEmployee and Workplace PrivacyFinancial PrivacyHeath Care Privacy and SecurityInternational Privacy and Cross-Border Data TransfersPrivacy Resources
Technology Transactions, Licensing, and Outsourcing
Copyright Litigation
Trademark Litigation
Resource Center
Canadian Office of the Privacy Commissioner California Office of Privacy Protection Children’s Advertising Review Unit Department of Commerce US/EU Safe Harbor Website Direct Marketing Association Corporate Responsibility Resource Center European Union Protection of Privacy Resources FTC Privacy and Security Legal Resources International Association of Privacy Professionals Mobile Marketing Association Self-Regulatory Program for Online Behavioral Advertising Word of Mouth Marketing Association
Topics
advertising   BCR   behavioral tracking   blogging   breach notification   CARU   children's privacy   cloud computing   collection of consumer information   communications privacy   consumer privacy   cookies   COPPA   data breach   data protection   data security   data sharing   data transfer   decision of adequacy   eavesdropping   ECPA   electronic communications   email   employee privacy   EU   FACT   financial privacy   FTC   health care   identity theft   international   invasion of privacy   membership programs   mobile   NLRB   online and consumer privacy   online behavior advertising   privacy training   retail privacy   robocalls   SCA   security   Shine the Light   social media   spyware   TCPA   telemarketing   telephone marketing   text messages   tracking and monitoring   transborder data flow   TSR   wiretap   workplace privacy  
Other Winston & Strawn Blogs
Advertising, Marketing & Privacy Law News Energy Industry Watch Executive Compensation Blog Maritime FedWatch Winston and the Legal Environment
PRIVACY LAW CORNER
Welcome to Winston & Strawn's Privacy Law Corner, a blog where we cover recent developments in privacy and data security laws. We strive to give you not just updates, but an analysis of what lessons you can learn from these new cases, and practical tips to implement those lessons for your company. Our blog is edited by Winston & Strawn partner Liisa Thomas, and features authors from across the firm. To learn more about any of the cases or issues covered, please don't hesitate to contact one of us or your regular Winston & Strawn contact. To subscribe to these updates, please see the RSS icon at the top right of the page. You can also follow us on Twitter at @WinstonPrivacy.
About the Bloggers
Blog Tools Recent Postings | All Postings | Power Search | Attorney Login
June 21, 2012
U.K. ICO Fines Health Agency $498,300 for Data Security Failures

The Brighton and Sussex University Hospitals NHS Trust, located in southern England, recently agreed to pay the U.K. Information Commissioner's Office (ICO) a total of €325,000 ($498,300) in civil penalties to resolve a data breach incident. The issue came to light after the Trust discovered that four Trust hard drives had been sold to a third party online. These drives had been slated for destruction by the Trust, which had hired a third-party vendor to destroy them in a group of 1000 hard drives. The four drives included highly sensitive personal information, including medical conditions, sexual preferences, STD test results, National Insurance numbers, addresses, and information about criminal convictions and suspected offenses. The Trust voluntarily notified the ICO following recommended procedures for responding to data breaches set forth by the ICO. Upon notification the ICO conducted an investigation, and as a result of that investigation, discovered 15 more hard drives that were sold that contained sensitive information. The ICO found that by selecting a vendor that did not provide adequate safeguards, the Trust had violated the UK Data Protection Act, which requires, inter alia, taking reasonable steps to prevent accidental loss, and selecting a third party vendor that will provide sufficient security guarantees. According to the ICO, the Trust should have ensured that logs of destroyed hard drives were maintained, should have identified the risks of a breach sooner to mitigate the damage to patients and staff, and should have maintained better supervision over the vendor and its employees. The ICO indicated that by making a voluntarily notification, lower penalties were assessed. 

Tip: When developing a data breach notification plan, keep in mind that other jurisdictions may have voluntary reporting to state authorities that if followed, can help lower potential fines. To avoid the need to make such notifications, look not only at security measures you have in place for your own employees to follow, but also the security requirements and controls you impose on vendors.



Caroline A. Wenzke ; Liisa M. Thomas
Email comments to the authors