The hospital trust for Brighton and Hove has paid a “staggering” £260,000 fine to the Information Commissioner’s Office (ICO).
Brighton and Sussex University Hospitals NHS Trust had until 5pm on Monday (25 June) to appeal or pay the fine.
The amount would have been £325,000 if it had missed the deadline and initially the ICO had indicated that it would be £375,000.
The ICO fined the trust, which runs the Royal Sussex County Hospital, for a breach of the Data Protection Act.
The breach was the result of a contractor stealing computer hard drives from the trust which he was supposed to destroy.
Instead of destroying them all, he sold some on eBay, the internet auction site in the autumn of 2010.
The hard drives contained sensitive personal data about tens of thousands of patients and staff – including details of patients being treated for HIV and sexual infections.
A spokesman for the ICO said: “We are pleased that Brighton and Sussex University Hospitals NHS Trust has now accepted the ICO’s ruling in paying the monetary penalty early in order to receive a 20 per cent discount.”
The trust’s interim chief executive Chris Adcock said: “We have made repeated attempts over the past six months, most recently last week, to reach a settlement that recognised that errors were made but no harm arose, all of which have been rejected by the Information Commissioner’s Office.
“The fine is a staggering amount of money given that there was no loss of data, we informed the ICO at the time, co-operated throughout with them, the police and Crown Prosecution Service and recovered everything.
“There is, however, nothing more odious than one public body having a public argument with another at the taxpayer’s expense.
“We are not prepared to incur further costs and are therefore paying the ICO £260,000.”
Duncan Selbie, who was chief executive when the theft occurred, said before he left the trust for a new job that he would rather have spent the money on treating patients.
While data had been at risk, he said, no actual harm was done.
In contrast, the Criminal Injuries Compensation Authority will pay out a maximum of £11,000 to someone who loses a loved one as the result of violent crime.
Simon Kirby, the MP for Brighton Kemptown, said: “While I am reluctant to comment on quasi judicial processes I have written to the Information Commissioner’s Office raising concerns about the severity of the punishment.“I am naturally keen to avoid patients again being the innocent victims.”
What happened to the thieving contractor? What punishment there? Any? A charge from the police even? As one of the many thousands of patients almost certainly affected by that theft, I would like to know.
Perhaps compensation from the contractor is in order – to the tune of a few hundred thousand Pounds.
The thieving contractor got away scott free. Did you really expect the police to investigate a crime?
As for the ICO they wouldn’t have touched him although he allegedly committed a criminal offence (Section 55 of the Data Protection Act). Why shoul dthey go after him or a provate body they only prosecute public bodies, i.e. the tax payer.