NHS trust and local council hit back at ICO fines

A local council and a NHS Trust have come out fighting after being hit with data breach fines totalling 415,000 by the Information Commissioner's Office (ICO).

As reported by IT Pro last week, Brighton and Sussex University Hospitals NHS Trust received a record 325,000 fine after personal details belonging to thousands of staff and patients were found on hard drives sold via an internet auction site.

It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine, despite repeated attempts to find out.

In a statement, the ICO said the size of the fine was in direct proportion to the "scale and gravity" of the breach.

The trust has since confirmed to IT Pro that it plans to appeal against the judgement because it cannot afford to pay.

"We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover those that their sub-contractor placed on eBay. No sensitive data has entered the public domain," said Duncan Selbie, chief executive of Brighton and Sussex University Hospitals Trust, in a statement.

"We reported all of this voluntarily to the ICO who told me last summer that this was not a case worthy of a fine, [so] it is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine, despite repeated attempts to find out."

Earlier today, the ICO announced that Telford and Wrekin Council had been fined 90,000 after confidential details about four vulnerable children were disclosed during two similar data breaches.

The first took place in March 2011, when a member of the council's staff accidentally sent findings from a social care assessment to a child's sibling instead of their mother.

It also included details of another child who had made a serious, unspecified allegation against another youngster.