A nursing home has been fined £15,000 for failing to look after the sensitive personal data of staff and residents.
The data protection breach occurred when a member of staff at Whitehead Nursing Home in Northern Ireland took unencrypted work home on a laptop. The laptop, which held personal information relating to 46 staff and 29 nursing home residents, was stolen in an overnight burglary.
The staff data included reasons for sickness absences and details of disciplinary matters. The residents’ data included their date of birth, details about their mental and physical health and their ‘do not resuscitate’ status.
An Information Commissioner’s Office (ICO) investigation found widespread systematic data protection failings at the nursing home. There were no policies in place to cover data encryption, home working or mobile-device use and the nursing home had not given its staff enough data-security training.
Gaby Hardwicke Employment Law Services Partner Paul Maynard (pictured) commented: “Official statistics suggest 14 per cent of the working population work from home. In addition, how many others – business owners included – take laptops or other data-storage devices home with them at the end of the day? Just how many of these devices store unencrypted personal data? Any employer who fails to take reasonable steps to protect the data of their employees or customers – for example, through data encryption – is asking for trouble.
“Unsurprisingly, in the current climate of cyber-attacks the ICO takes data security extremely seriously, as is reflected in the level of this fine. All employers should not just review their existing data and homeworking policies to ensure that they are fully compliant but also ensure that those policies are being followed by, for example, undertaking regular audits of their staff.”
Expert advice on managing personal data
For expert advice on all employment law issues – including the management of personal data and other confidential business information – contact Paul Maynard: