Clarkslegal LLP - Solicitors in Reading and London

Legal Updates

Information Commission flexes muscles over Data Protection infringements

11 September 2012 #Dispute Resolution

Since May 2011 the Information Commissioner’s Office (the “ICO”) has had the power to issue Civil Monetary Penalties (“CMPs”) of up to £500,000 for serious breaches of the Data Protection Act. 

Typical breaches where CMPs may be imposed include loss or mishandling of confidential data and unwanted marketing emails and texts. 

Over the past few months the ICO has shown an increased readiness to use this power. This follows a spate of high profile cases where sensitive, confidential information has been lost by public authorities and multinational companies.

The largest penalty so far, £325,000, was imposed against Brighton and Sussex University Hospitals NHS Trust in June this year. This followed the discovery that hard drives previously owned by the NHS Trust were being sold on internet auction sites still containing patient information, including medical conditions and treatment details. 

The NHS Trust had retained the services of Sussex Health Informatics Services (“Informatics”) to destroy 1,000 hard drives which had been held in a secure room at Brighton General Hospital. A number of these hard drives made their way onto internet auction sites, and the ICO were notified of the infringement by a data retrieval company who had purchased some of them. It transpired that the individual retained by Informatics to destroy the hard drives had managed to remove over 250 of the hard drives from the secure room at the hospital. The size of the penalty reflects the severity of the data breach. The NHS Trust was found to have failed significantly in its duty to its patients and staff. This CPU is one of five recently issued against NHS Trusts who have failed to protect the confidentiality of patient records

These cases are timely reminders to all organisations that process personal data that they need to take appropriate measures to prevent the accidental loss, destruction or damage to personal data. Failing to do so is a breach of the Data Protection Act and can lead to large penalties. 

If faced with a security breach, organisations need to act fast to ensure the damage is contained, the information is retrieved if possible, and that the appropriate notifications are made. Depending on the circumstances, this may involve notifying the individual affected, the Information Commission and, in serious cases, the police.

In order to minimise the risk of security breaches happening and being fined by the ICO if they do happen, it is sensible for all organisations to have in place policies and procedures for protecting personal data and for dealing with unauthorised disclosures.

Clarkslegal, specialist Dispute Resolution lawyers in London, Reading and throughout the Thames Valley.
For further information about this or any other Dispute Resolution matter please contact Clarkslegal's dispute resolution team by email at by telephone 020 7539 8000 (London office), 0118 958 5321 (Reading office) or by completing the form on this page.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Read more articles

Chris Tayton

Chris Tayton

T: 0118 960 4691
M: 07880 746 918


Dispute Resolution team
+44 (0)118 958 5321