Nursing home fined for a data breach after a laptop with residents’ details is stolen
A nursing home in County Antrim has been fined £15,000 for failing to adequately protect sensitive data about its staff and residents.
This story is a look back in history but reminds me of similar incidents involving many different types of business including a building society.
The Information Commissioner’s Office (ICO) launched the investigation in 2014 after an unencrypted laptop, taken home by a member of staff at Whitehead Nursing Home, was stolen in a domestic burglary.
The ICO found ‘widespread systemic failings’ in data protection at the nursing home at the time. The ICO said that the nursing home put its employees and residents at risk. They failed to follow basic procedures to properly manage and look after the personal information in its care.
They (the ICO) made it clear that they were prepared to issue a fine to anyone who broke the rules.
The unencrypted laptop contained sensitive personal details relating to 46 staff. The data included reasons for sickness absence and information about disciplinary matters. Personal details of 29 residents were also held on the laptop. This data included their date of birth, mental and physical health and ‘do not resuscitate’ status.
The law requires organisations to have measures in place to keep the personal information they hold secure. However, the nursing home did not have policies in place regarding the use of encryption, homeworking and the storage of mobile devices, or provide enough data security training for its staff. This is particularly relevant now as more staff than ever are working from home.
The investigation revealed major flaws in the nursing home’s approach to data protection. Employees expect any details about disciplinary matters or their state of health to be kept safely. The same applies to residents, whose details shouldn’t be stored on an unprotected laptop.
It is clear that Whitehead Nursing Home had totally inadequate provisions for IT security and procedure and poor data protection training.
Whitehead Nursing Home acknowledged that there were technical breaches of the Data Protection Act 1998, however, they claimed that these were largely outside their control given that the laptop in question was stolen in a burglary from an employee’s home. The laptop in question was password-protected to restrict access to unauthorised persons, however the technical breach was in relation to the lack of full encryption.
The home was disappointed with the fine after cooperating with the Police. However, the fact remains that they didn’t know the law. Potential victims were also informed but a password-protected laptop doesn’t stop data being taken from the hard drive. Ignorance is not an excuse.
COVID-19 has sent many staff home – have you assessed whether all your systems are safe for this type of working? Are all drives encrypted? Don’t presume anything, encryption doesn’t come as standard, it has to be turned on. Passwords! Long enough? Complex? Regularly changed?
If you are a director or senior manager of a care home or care homes, we can help you understand your security posture. Don’t be caught out by easy to avoid mistakes. Call us today on 03333 22 1011 or book a meeting here and we will be in touch. You can also contact us here.